System Security Plan Template 120512 - 508

System Security Plan <Information System Name>, <Date>
FedRAMP System Security Plan (Template)
<Vendor Name> <Information System Name> <Version 1.0>

December 5, 2012 Company Sensitive and Proprietary For Authorized Use Only
System Security Plan Prepared by

Identification of Organization that Prepared this Document Organization Name Street Address <insert logo> Suite/Room/Building City, State Zip
Prepared for
Identification of Cloud Service Provider Organization Name Street Address <insert logo> Suite/Room/Building City, State Zip
Company Sensitive and Proprietary
Page 2
Executive Summary
This document details the System Security Plan (SSP) for the <Information System Name> security controls. This System Security Plan was written in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Information Technology Systems. <Company Name> is a <privately/publicly> owned company headquartered in <City, State>. Completion of this SSP, which describes how U.S. federal information will be safeguarded, is a requirement of the Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources, and Public Law 100-235, the Computer Security Act of 1987.
Page 3
Document Revision History

Date
05/17/2012 06/06/2012 06/13/2012 06/18/2012 06/18/2012
Description
Document Publication Changed Numbering in Instruction Statement 9.3 Formatting AC-17(7) Updated RA-5a Added RA-5(5) Table of Contents Updated; Added Instruction to 9.3; Revised Signature Pages; Revised Tables 6-1 and 6-2; Updated Instruction for 7.0; Updated Instruction for 9.4. Removed CP-9d. Revised formatting for CM-3(g); Added two rows (h and i) to IA-5 table on p. 185. Part c removed from CM-2(5). Revised AC-16 to include missing text.
Version of System
N/A N/A N/A N/A N/A
Author
FedRAMP Office FedRAMP Office FedRAMP Office FedRAMP Office FedRAMP Office
7/23/2012
N/A
FedRAMP Office
07/25/2012 10/15/2012 12/5/2012
N/A N/A N/A
FedRAMP Office FedRAMP Office FedRAMP Office
Page 4
Table of Contents
About This Document ................................................................................................................................. 19 Who should use this document? ................................................................................................................ 19 How this document is organized ................................................................................................................. 19 Conventions Used In This Document .......................................................................................................... 20 How to contact us ....................................................................................................................................... 20 System Security Plan Approvals .................................................................................................................. 22 1. 2. 2.1. 2.2. 2.3. 3. 4. 5. 6. 7. 8. 8.1. 8.2. 9. 9.1. 9.2. 9.3. 9.4. 10. Information System Name/Title ...................................................................................................... 23 Information System Categorization................................................................................................. 23 Information Types ........................................................................................................................... 23 Security Objectives Categorization (FIPS 199) ................................................................................ 25 E-Authentication Determination (E-Auth) ...................................................................................... 26 Information System Owner ............................................................................................................. 27 Authorizing Official.......................................................................................................................... 27 Other Designated Contacts ............................................................................................................. 27 Assignment of Security Responsibility ............................................................................................ 28 Information System Operational Status .......................................................................................... 29 Information System Type ................................................................................................................ 29 Cloud Service Model ....................................................................................................................... 29 Leveraged Provisional Authorizations ............................................................................................. 30 General System Description ............................................................................................................ 30 System Function or Purpose ........................................................................................................... 31 Information System Components and Boundaries ......................................................................... 31 Types of Users ................................................................................................................................. 31 Network Architecture...................................................................................................................... 32 System Environment ....................................................................................................................... 32 10.1.1. 10.1.2. 10.1.3. 10.1.4. 10.1.5. 11. Hardware Inventory ........................................................................................................ 33 Software Inventory.......................................................................................................... 33 Network Inventory .......................................................................................................... 34 Data Flow ........................................................................................................................ 36 Ports, Protocols and Services .......................................................................................... 36
System Interconnections ................................................................................................................. 37
Page 5
<Information System Name> System Security Plan Version <0.00> / <Date>
12.
Applicable Laws and Regulations .................................................................................................... 39
12.1. Applicable Laws ............................................................................................................................... 39 12.2. Applicable Standards and Guidance ............................................................................................... 39 13. Minimum Security Controls ............................................................................................................ 40 13.1.1. 13.1.2. 13.1.2.1. Access Control Policy and Procedures Requirements (AC-1) .......................................... 53 Account Management (AC-2) .......................................................................................... 54 Control Enhancements for Account Management ......................................................... 56 13.1. Access Control (AC) ......................................................................................................................... 53
13.1.2.1.1. Control Enhancement AC-2 (1) ................................................................................... 56 13.1.2.1.2. Control Enhancement AC-2 (2) ................................................................................... 57 13.1.2.1.3. Control Enhancement AC-2 (3) ................................................................................... 58 13.1.2.1.4. Control Enhancement AC-2 (4) ................................................................................... 58 13.1.2.1.5. Control Enhancement AC-2 (7) ................................................................................... 59 13.1.3. 13.1.3.1. 13.1.4. 13.1.5. 13.1.6. 13.1.6.1. Access Enforcement (AC-3) ............................................................................................. 60 Control Enhancement for Access Enforcement .............................................................. 61 Information Flow Enforcement (AC-4) ............................................................................ 63 Separation of Duties (AC-5)............................................................................................. 64 Least Privilege (AC-6) ...................................................................................................... 65 Control Enhancements for Least Privilege ...................................................................... 66
13.1.3.1.1. Control Enhancement AC-3 (3) ................................................................................... 61
13.1.6.1.1. Control Enhancement AC-6 (1) ................................................................................... 66 13.1.6.1.2. Control Enhancement AC-6 (2) ................................................................................... 67 13.1.7. 13.1.8. 13.1.9. 13.1.10. Unsuccessful Login Attempts (AC-7) ............................................................................... 68 System Use Notification (AC-8) ....................................................................................... 69 Concurrent Session Control (AC-10)................................................................................ 72 Session Lock (AC-11) ....................................................................................................... 72
13.1.10.1. Control Enhancements for Session Lock ......................................................................... 73 13.1.10.1.1. Control Enhancement AC-11 (1) ................................................................................. 73 13.1.11. Permitted Actions w/o Identification or Authentication (AC-14) ................................... 74 13.1.11.1. Control Enhancements for Permitted Actions w/o Identification or Auth. .................... 75 13.1.11.1.1. Control Enhancement AC-14(1) .................................................................................. 75 13.1.12. 13.1.13. Security Attributes (AC-16) ............................................................................................. 76 Remote Access (AC-17) ................................................................................................... 77
13.1.13.1. Control Enhancements for Remote Control .................................................................... 78 Company Sensitive and Proprietary
Page 6
13.1.13.1.1. Control Enhancement AC-17 (1) ................................................................................. 78 13.1.13.1.2. Control Enhancement AC-17 (2) ................................................................................. 79 13.1.13.1.3. Control Enhancement AC-17 (3) ................................................................................. 80 13.1.13.1.4. Control Enhancement AC-17 (4) ................................................................................. 80 13.1.13.1.5. Control Enhancement AC-17 (5) ................................................................................. 81 13.1.13.1.6. Control Enhancement AC-17 (7) ................................................................................. 82 13.1.13.1.7. Control Enhancement AC-17 (8) ................................................................................. 83 13.1.14. Wireless Access Restrictions (AC-18) .............................................................................. 84 13.1.14.1. Wireless Access Restrictions Control Enhancements...................................................... 85 13.1.14.1.1. Control Enhancement AC-18 (1) ................................................................................. 85 13.1.14.1.2. Control Enhancement AC-18 (2) ................................................................................. 86 13.1.15. Access Control for Portable and Mobile Systems (AC-19)............................................... 86 13.1.15.1. Access Control for Portable and Mobile Systems Control Enhancements ...................... 89 13.1.15.1.1. Control Enhancement AC-19 (1) ................................................................................. 89 13.1.15.1.2. Control Enhancement AC-19 (2) ................................................................................. 89 13.1.15.1.3. Control Enhancement AC-19 (3) ................................................................................. 90 13.1.16. Use of External Information Systems (AC-20) ................................................................. 91 13.1.16.1. Use of External Information Systems Control Enhancements ........................................ 92 13.1.16.1.1. Control Enhancement AC-20 (1) ................................................................................. 92 13.1.16.1.2. Control Enhancement AC-20 (2) ................................................................................. 93 13.1.17. 13.2.1. 13.2.2. 13.2.3. 13.2.4. 13.3.1. 13.3.2. 13.3.2.1. Publicly Accessible Content (AC-22)................................................................................ 93 Security Awareness and Training Policy and Procedures (AT-1) ..................................... 95 Security Awareness (AT-2)............................................................................................... 96 Security Training (AT-3) ................................................................................................... 97 Security Training Records (AT-4)...................................................................................... 98 Audit and Accountability Policy and Procedures (AU-1) ................................................. 99 Auditable Events (AU-2) ................................................................................................ 100 Control Enhancements for Auditable Events ................................................................ 102 13.2. Awareness and Training (AT) ........................................................................................................... 95
13.3. Audit and Accountability (AU)......................................................................................................... 99
13.3.2.1.1. Control Enhancement AU-2 (3) ................................................................................. 102 13.3.2.1.2. Control Enhancement AU-2 (4) ................................................................................. 103 13.3.3. 13.3.3.1. Content of Audit Records (AU-3)................................................................................... 104 Control Enhancement for Content of Audit Records .................................................... 105 Company Sensitive and Proprietary
Page 7
13.3.3.1.1. Control Enhancement AU-3 (1) ................................................................................. 105 13.3.4. 13.3.5. 13.3.6. 13.3.6.1. Audit Storage Capacity (AU-4)....................................................................................... 106 Response to Audit Processing Failures (AU-5) .............................................................. 107 Audit Review, Analysis, and Reporting (AU-6)............................................................... 108 Control Enhancements for Audit Review, Analysis, and Reporting ............................... 109
13.3.6.1.1. Control Enhancement AU-6 (1) ................................................................................. 109 13.3.6.1.2. Control Enhancement AU-6 (3) ................................................................................. 110 13.3.7. 13.3.7.1. 13.3.8. 13.3.8.1. 13.3.9. 13.3.9.1. 13.3.10. Audit Reduction and Report Generation (AU-7) ........................................................... 111 Control Enhancement for Audit Reduction and Report Generation ............................. 111 Time Stamps (AU-8) ...................................................................................................... 112 Control Enhancement for Time Stamps ........................................................................ 113 Protection of Audit Information (AU-9) ........................................................................ 115 Control Enhancement for Protection of Audit Information .......................................... 115 Non-Repudiation (AU-10).............................................................................................. 116
13.3.7.1.1. Control Enhancement AU-7 (1) ................................................................................. 111
13.3.8.1.1. Control Enhancement AU-8 (1) ................................................................................. 113
13.3.9.1.1. Control Enhancement AU-9 (2) ................................................................................. 116 13.3.10.1. Control Enhancement for Non-Repudiation ................................................................. 117 13.3.10.1.1. Control Enhancement AU-10 (5) ............................................................................... 117 13.3.11. 13.3.12. 13.4.1. 13.4.2. 13.4.2.1. 13.4.3. 13.4.4. 13.4.5. 13.4.6. 13.4.6.1. Audit Record Retention (AU-11) ................................................................................... 118 Audit Generation (AU-12) ............................................................................................. 119 Certification, Authorization, Security Assessment Policies and Procedures (CA-1) ...... 120 Security Assessments (CA-2) ......................................................................................... 121 Control Enhancement for Security Assessments .......................................................... 123 Information System Connections (CA-3) ....................................................................... 124 Plan of Action and Milestones (CA-5) ........................................................................... 125 Security Authorization (CA-6)........................................................................................ 126 Continuous Monitoring (CA-7) ...................................................................................... 128 Control Enhancement for Continuous Monitoring ....................................................... 129
13.4. Security Assessment and Authorization (CA) ................................................................................ 120
13.4.2.1.1. Control Enhancement CA-2 (1) ................................................................................. 123
13.4.6.1.1. Control Enhancement CA-7 (2) ................................................................................. 129 13.5. Configuration Management (CM) ................................................................................................. 130 13.5.1. Configuration Management Policy and Procedures (CM-1) ......................................... 130 Company Sensitive and Proprietary
Page 8
13.5.2. 13.5.2.1.
Baseline Configuration and System Component Inventory (CM-2) ............................ 131 Control Enhancements for Baseline Configuration and System Component Inventory132
13.5.2.1.1. Control Enhancement CM-2 (1) ................................................................................ 132 13.5.2.1.2. Control Enhancement CM-2 (3) ................................................................................ 133 13.5.2.1.3. Control Enhancement CM-2 (5) ................................................................................ 134 13.5.3. 13.5.3.1. 13.5.4. 13.5.5. 13.5.5.1. 13.5.6. 13.5.6.1. Configuration Change Control (CM-3)........................................................................... 135 Control Enhancement for Configuration Change Control ............................................. 137 Monitoring Configuration Changes (CM-4) ................................................................... 138 Access Restrictions for Change (CM-5) ......................................................................... 139 Control Enhancements for Access Restrictions for Change .......................................... 139 Configuration Settings (CM-6)....................................................................................... 141 Control Enhancements for Configuration Settings........................................................ 143
13.5.3.1.1. Control Enhancement CM-3 (2) ................................................................................ 137
13.5.6.1.1. Control Enhancement CM-6 (1) ................................................................................ 143 13.5.6.1.2. Control Enhancement CM-6 (3) ................................................................................ 144 13.5.7. 13.5.7.1. 13.5.8. 13.5.8.1. Least Functionality (CM-7) ............................................................................................ 144 Control Enhancements for Least Functionality ............................................................. 145 Information System Component Inventory (CM-8) ...................................................... 146 Control Enhancements for Information System Component Inventory ....................... 147
13.5.8.1.1. Control Enhancement CM-8 (1) ................................................................................ 147 13.5.8.1.2. Control Enhancement CM-8 (3) ................................................................................ 148 13.5.8.1.3. Control Enhancement CM-8 (5) ................................................................................ 149 13.5.9. 13.6.1. 13.6.2. 13.6.2.1. Configuration Management Plan (CM-9) ...................................................................... 150 Contingency Planning Policy and Procedures (CP-1) .................................................... 151 Contingency Plan (CP-2) ................................................................................................ 152 Control Enhancements for Contingency Plan ............................................................... 154 13.6. Contingency Planning (CP) ............................................................................................................ 151
13.6.2.1.1. Control Enhancement CP-2 (1).................................................................................. 154 13.6.2.1.2. Control Enhancement CP-2 (2).................................................................................. 155 13.6.3. 13.6.4. 13.6.4.1. Contingency Training (CP-3) .......................................................................................... 156 Contingency Plan Testing and Exercises (CP-4) ............................................................. 157 Control Enhancements for Contingency Plan Testing and Exercises ............................. 158 Company Sensitive and Proprietary
Page 9
13.6.4.1.1. Control Enhancement CP-4 (1).................................................................................. 158 13.6.5. 13.6.5.1. Alternate Storage Site (CP-6)......................................................................................... 159 Control Enhancements for Alternate Storage Site ........................................................ 160
13.6.5.1.1. Control Enhancement CP-6 (1).................................................................................. 160 13.6.5.1.2. Control Enhancement CP-6 (3).................................................................................. 160 13.6.6. 13.6.6.1. Alternate Processing Site (CP-7).................................................................................... 161 Control Enhancements for Alternate Processing Site ................................................... 162
13.6.6.1.1. Control Enhancement CP-7 (1).................................................................................. 162 13.6.6.1.2. Control Enhancement CP-7 (2).................................................................................. 163 13.6.6.1.3. Control Enhancement CP-7 (3).................................................................................. 164 13.6.6.1.4. Control Enhancement CP-7 (5).................................................................................. 164 13.6.7. 13.6.7.1. Telecommunications Services (CP-8) ............................................................................ 165 Control Enhancements for Telecommunications Services ............................................ 166
13.6.7.1.1. Control Enhancement CP-8 (1).................................................................................. 166 13.6.7.1.2. Control Enhancement CP-8 (2).................................................................................. 167 13.6.8. 13.6.8.1. Information System Backup (CP-9)................................................................................ 168 Control Enhancements for Information System Backup ............................................... 170
13.6.8.1.1. Control Enhancement CP-9 (1).................................................................................. 170 13.6.8.1.2. Control Enhancement CP-9 (3).................................................................................. 171 13.6.9. 13.6.9.1. Information System Recovery and Reconstitution (CP-10) ........................................... 171 Control Enhancements for System Recovery and Reconstitution................................. 172
13.6.9.1.1. Control Enhancement CP-10 (2)................................................................................ 172 13.6.9.1.2. Control Enhancement CP-10 (3)................................................................................ 173 13.7. Identification and Authentication (IA) .......................................................................................... 174 13.7.1. 13.7.2. 13.7.2.1. Identification and Authentication Policy and Procedures (IA-1) ................................... 174 User Identification and Authentication (IA-2) ............................................................... 175 Control Enhancements for User Identification and Authentication ............................. 176
13.7.2.1.1. Control Enhancement IA-2 (1) .................................................................................. 176 13.7.2.1.2. Control Enhancement IA-2 (2) .................................................................................. 176 13.7.2.1.3. Control Enhancement IA-2 (3) .................................................................................. 177 13.7.2.1.4. Control Enhancement IA-2 (8) .................................................................................. 178 13.7.3. 13.7.4. 13.7.4.1. Device Identification and Authentication (IA-3) ........................................................... 179 Identifier Management (IA-4) ....................................................................................... 180 Control Enhancement for Identifier Management ....................................................... 182 Company Sensitive and Proprietary
Page 10
13.7.4.1.1. Control Enhancement IA-4 (4) .................................................................................. 182 13.7.5. 13.7.5.1. Authenticator Management (IA-5)................................................................................ 183 Control Enhancements for Authenticator Management .............................................. 185
13.7.5.1.1. Control Enhancement IA-5 (1) .................................................................................. 185 13.7.5.1.2. Control Enhancement IA-5 (2) .................................................................................. 187 13.7.5.1.3. Control Enhancement IA-5 (3) .................................................................................. 188 13.7.5.1.4. Control Enhancement IA-5 (6) .................................................................................. 189 13.7.5.1.5. Control Enhancement IA-5 (7) .................................................................................. 189 13.7.6. 13.7.7. 13.7.1. 13.8.1. 13.8.2. 13.8.3. 13.8.4. 13.8.4.1. 13.8.5. 13.8.6. 13.8.6.1. 13.8.7. 13.8.7.1. Authenticator Feedback (IA-6) ...................................................................................... 190 Cryptographic Module Authentication (IA-7) ............................................................... 191 Identification and Authentication (Non-Organizational Users) (IA-8)........................... 192 Incident Response Policy and Procedures (IR-1) ........................................................... 192 Incident Response Training (IR-2).................................................................................. 193 Incident Response Testing and Exercises (IR-3)............................................................. 194 Incident Handling (IR-4) ................................................................................................ 195 Control Enhancement for Incident Handling ................................................................ 197 Incident Monitoring (IR-5)............................................................................................. 198 Incident Reporting (IR-6) ............................................................................................... 199 Control Enhancement for Incident Reporting ............................................................... 200 Incident Response Assistance (IR-7).............................................................................. 201 Control Enhancements for Incident Response Assistance ............................................ 201
13.8. Incident Response (IR) .................................................................................................................. 192
13.8.4.1.1. Control Enhancement IR-4 (1)................................................................................... 197
13.8.6.1.1. Control Enhancement IR-6 (1)................................................................................... 200
13.8.7.1.1. Control Enhancement IR-7 (1)................................................................................... 201 13.8.7.1.2. Control Enhancement IR-7 (2)................................................................................... 202 13.8.8. 13.9.1. 13.9.2. 13.9.2.1. 13.9.3. 13.9.3.1. Incident Response Plan (IR-8) ....................................................................................... 203 System Maintenance Policy and Procedures (MA-1) .................................................... 205 Controlled Maintenance (MA-2) ................................................................................... 206 Control Enhancements for Controlled Maintenance .................................................... 208 Maintenance Tools (MA-3) ............................................................................................ 209 Control Enhancements for Maintenance Tools ............................................................. 210 Company Sensitive and Proprietary
Page 11
13.9. Maintenance (MA) ........................................................................................................................ 205
13.9.2.1.1. Control Enhancement MA-2 (1) ................................................................................ 208
13.9.3.1.1. Control Enhancement MA-3 (1) ................................................................................ 210 13.9.3.1.2. Control Enhancement MA-3 (2) ................................................................................ 211 13.9.3.1.3. Control Enhancement MA-3 (3) ................................................................................ 211 13.9.4. 13.9.4.1. Remote Maintenance (MA-4) ....................................................................................... 212 Control Enhancements for Remote Maintenance ........................................................ 213
13.9.4.1.1. Control Enhancement MA-4 (1) ................................................................................ 214 13.9.4.1.2. Control Enhancement MA-4 (2) ................................................................................ 214 13.9.5. 13.9.6. 13.10.1. 13.10.2. Maintenance Personnel (MA-5) .................................................................................... 215 Timely Maintenance (MA-6) ......................................................................................... 216 Media Protection Policy and Procedures (MP-1) .......................................................... 217 Media Access (MP-2)..................................................................................................... 218
13.10. Media Protection (MP).................................................................................................................. 217
13.10.2.1. Control Enhancements for Media Access ..................................................................... 220 13.10.2.1.1. Control Enhancement MP-2 (1) ................................................................................ 220 13.10.3. 13.10.4. Media Labeling (MP-3) .................................................................................................. 221 Media Storage (MP-4) ................................................................................................... 222
13.10.4.1. Control Enhancements for Media Storage .................................................................... 224 13.10.4.1.1. Control Enhancement MP-4 (1) ................................................................................ 224 13.10.5. Media Transport (MP-5) ................................................................................................ 224 13.10.5.1. Control Enhancements for Media Transport................................................................. 226 13.10.5.1.1. Control Enhancement MP-5 (2) ................................................................................ 226 13.10.5.1.2. Control Enhancement MP-5 (4) ................................................................................ 226 13.10.6. Media Sanitization and Disposal (MP-6) ....................................................................... 227 13.10.6.1.1. Control Enhancement MP-6 (4) ................................................................................ 228 13.11. Physical and Environmental Protection (PE) ................................................................................. 229 13.11.1. 13.11.2. 13.11.3. 13.11.4. 13.11.5. 13.11.6. Physical and Environmental Protection Policy and Procedures (PE-1) ......................... 229 Physical Access Authorizations (PE-2) ........................................................................... 230 Physical Access Control (PE-3)....................................................................................... 231 Access Control for Transmission Medium (PE-4) .......................................................... 233 Access Control for Display Medium (PE-5) .................................................................... 234 Monitoring Physical Access (PE-6) ................................................................................ 235
13.11.6.1. Control Enhancements for Monitoring Physical Access ................................................ 236 13.11.6.1.1. Control Enhancement PE-6 (1) .................................................................................. 236 13.11.7. Visitor Control (PE-7)..................................................................................................... 237 Company Sensitive and Proprietary
Page 12
13.11.7.1. Control Enhancements for Visitor Control .................................................................... 237 13.11.7.1.1. Control Enhancement PE-7 (1) .................................................................................. 237 13.11.8. 13.11.9. 13.11.10. 13.11.11. 13.11.12. 13.11.13. Access Records (PE-8) ................................................................................................... 238 Power Equipment and Power Cabling (PE-9) ................................................................ 239 Emergency Shutoff (PE-10) ........................................................................................... 240 Emergency Power (PE-11) ............................................................................................. 241 Emergency Lighting (PE-12) .......................................................................................... 242 Fire Protection (PE-13) .................................................................................................. 243
13.11.13.1. Control Enhancements for Fire Protection ................................................................... 244 13.11.13.1.1. Control Enhancement PE-13 (1) .......................................................................... 244 13.11.13.1.2. Control Enhancement PE-13 (2) .......................................................................... 244 13.11.13.1.3. Control Enhancement PE-13 (3) .......................................................................... 245 13.11.14. 13.11.15. 13.11.16. 13.11.17. 13.11.18. 13.12.1. 13.12.2. 13.12.3. 13.12.4. 13.12.5. 13.13.1. 13.13.2. 13.13.3. 13.13.4. 13.13.5. 13.13.6. 13.13.7. 13.13.8. 13.14.1. Temperature and Humidity Controls (PE-14) ................................................................ 246 Water Damage Protection (PE-15) ................................................................................ 247 Delivery and Removal (PE-16) ....................................................................................... 248 Alternate Work Site (PE-17) .......................................................................................... 248 Location of Information System Components (PE-18) .................................................. 250 Security Planning Policy and Procedures (PL-1) ............................................................ 251 System Security Plan (PL-2) ........................................................................................... 252 Rules of Behavior (PL-4) ................................................................................................ 253 Privacy Impact Assessment (PL-5)................................................................................. 254 Security-Related Activity Planning (PL-6) ...................................................................... 255 Personnel Security Policy and Procedures (PS-1) .......................................................... 256 Position Categorization (PS-2) ....................................................................................... 257 Personnel Screening (PS-3) ........................................................................................... 258 Personnel Termination (PS-4) ........................................................................................ 258 Personnel Transfer (PS-5) .............................................................................................. 260 Access Agreements (PS-6) ............................................................................................. 261 Third-Party Personnel Security (PS-7) ........................................................................... 262 Personnel Sanctions (PS-8)............................................................................................ 263 Risk Assessment Policy and Procedures (RA-1)............................................................. 264 Company Sensitive and Proprietary
Page 13
13.12. Planning (PL) ................................................................................................................................. 251
13.13. Personnel Security (PS) ................................................................................................................. 256
13.14. Risk Assessment (RA) .................................................................................................................... 264
13.14.2. 13.14.3. 13.14.4.
Security Categorization (RA-2) ...................................................................................... 265 Risk Assessment (RA-3) ................................................................................................. 266 Vulnerability Scanning (RA-5) ........................................................................................ 268
13.14.4.1. Control Enhancements for Vulnerability Scanning ....................................................... 270 13.14.4.1.1. Control Enhancement RA-5 (1) ................................................................................. 270 13.14.4.1.2. Control Enhancement RA-5 (2) ................................................................................. 270 13.14.4.1.3. Control Enhancement RA-5 (3) ................................................................................. 271 13.14.4.1.4. Control Enhancement RA-5 (5) ................................................................................. 272 13.14.4.1.5. Control Enhancement RA-5 (6) ................................................................................. 273 13.14.4.1.6. Control Enhancement RA-5 (9) ................................................................................. 273 13.15. System and Services Acquisition (SA)............................................................................................ 274 13.15.1. 13.15.2. 13.15.3. 13.15.4. System and Services Acquisition Policy and Procedures (SA-1) .................................... 274 Allocation of Resources (SA-2) ...................................................................................... 275 Life Cycle Support (SA-3) ............................................................................................... 276 Acquisitions (SA-4) ........................................................................................................ 277
13.15.4.1. Control Enhancements for Acquisitions ........................................................................ 278 13.15.4.1.1. Control Enhancement SA-4 (1).................................................................................. 279 13.15.4.1.2. Control Enhancement SA-4 (4).................................................................................. 279 13.15.4.1.3. Control Enhancement SA-4 (7).................................................................................. 280 13.15.5. Information System Documentation (SA-5) .................................................................. 281 13.15.5.1.1. Control Enhancement SA-5 (1).................................................................................. 282 13.15.5.1.2. Control Enhancement SA-5 (3).................................................................................. 283 13.15.6. 13.15.7. 13.15.8. 13.15.9. 13.15.10. 13.15.11. Software Usage Restrictions (SA-6) ............................................................................... 284 User Installed Software (SA-7) ...................................................................................... 285 Security Engineering Principles (SA-8) .......................................................................... 286 External Information System Services (SA-9) ................................................................ 286 Developer Configuration Management (SA-10)............................................................ 289 Developer Security Testing (SA-11) ............................................................................... 291
13.15.9.1.1. Control Enhancement SA-9 (1).................................................................................. 287
13.15.11.1. Control Enhancements for Developer Security Testing................................................. 292 13.15.11.1.1. Control Enhancement SA-11 (1) .......................................................................... 292 13.15.12. 13.16.1. Supply Chain Protection (SA-12) ................................................................................... 293 System & Communications Protection Policy and Procedures (SC-1)........................... 294 Company Sensitive and Proprietary
Page 14
13.16. System and Communications Protection (SC) ............................................................................... 294
13.16.2. 13.16.3. 13.16.4. 13.16.5. 13.16.6.
Application Partitioning (SC-2) ...................................................................................... 295 Information In Shared Resources (SC-4) ....................................................................... 296 Denial of Service Protection (SC-5) ............................................................................... 297 Resource Priority (SC-6) ................................................................................................ 298 Boundary Protection (SC-7)........................................................................................... 298
13.16.6.1. Control Enhancements for Boundary Protection .......................................................... 299 13.16.6.1.1. Control Enhancement SC-7 (1) .................................................................................. 299 13.16.6.1.2. Control Enhancement SC-7 (2) .................................................................................. 301 13.16.6.1.3. Control Enhancement SC-7 (3) .................................................................................. 302 13.16.6.1.4. Control Enhancement SC-7 (4) .................................................................................. 302 13.16.6.1.5. Control Enhancement SC-7 (5) .................................................................................. 304 13.16.6.1.6. Control Enhancement SC-7 (7) .................................................................................. 305 13.16.6.1.7. Control Enhancement SC-7 (8) .................................................................................. 305 13.16.6.1.8. Control Enhancement SC-7 (12) ................................................................................ 306 13.16.6.1.9. Control Enhancement SC-7 (13) ................................................................................ 307 13.16.6.1.10. Control Enhancement SC-7 (18) .......................................................................... 308 13.16.7. Transmission Integrity (SC-8)......................................................................................... 309 13.16.7.1. Control Enhancement for Transmission Integrity ......................................................... 309 13.16.7.1.1. Control Enhancement SC-8 (1) .................................................................................. 309 13.16.8. Transmission Confidentiality (SC-9)............................................................................... 310 13.16.8.1. Control Enhancement for Transmission Confidentiality ............................................... 311 13.16.8.1.1. Control Enhancement SC-9 (1) .................................................................................. 311 13.16.9. 13.16.10. 13.16.11. Network Disconnect (SC-10) ......................................................................................... 312 Trusted Path (SC-11) ...................................................................................................... 313 Cryptographic Key Establishment & Management (SC-12) ........................................... 314
13.16.11.1. Control Enhancements for Cryptographic Key Establishment & Management ............ 315 13.16.11.1.1. Control Enhancement SC-12 (2) .......................................................................... 315 13.16.11.1.2. Control Enhancement SC-12 (5) .......................................................................... 315 13.16.12. Use of Cryptography (SC-13) ......................................................................................... 316 13.16.12.1. Control Enhancement for Use of Cryptography ............................................................ 317 13.16.12.1.1. Control Enhancement SC-13 (1) .......................................................................... 317 13.16.13. 13.16.14. 13.16.15. Public Access Protections (SC-14) ................................................................................. 318 Collaborative Computing (SC-15) .................................................................................. 318 Public Key Infrastructure Certificates (SC-17) ............................................................... 320 Company Sensitive and Proprietary
Page 15
13.16.16. 13.16.17. 13.16.18.
Mobile Code (SC-18) ..................................................................................................... 321 Voice Over Internet Protocol (SC-19) ............................................................................ 322 Secure Name-Address Resolution Service (Authoritative Source) (SC-20) ................... 323
13.16.18.1. Control Enhancement for Secure Name-Address Resolution Service........................... 324 13.16.18.1.1. Control Enhancement SC-20 (1) .......................................................................... 324 13.16.19. 13.16.20. 13.16.21. 13.16.22. 13.16.23. 13.16.24. 13.17.1. 13.17.2. Secure Name-Address Resolution Service (Recursive or Caching Resolver) (SC-21) .... 325 Architecture and Provisioning for Name-Address Resolution Service (SC-22) ............. 325 Session Authenticity (SC-23) ......................................................................................... 326 Protection of Information At Rest (SC-28)..................................................................... 327 Virtualization Techniques (SC-30) ................................................................................. 328 Information System Partitioning (SC-32)....................................................................... 328 System & Information Integrity Policy & Procedures (SI-1) .......................................... 329 Flaw Remediation (SI-2) ................................................................................................ 330
13.17. System and Information Integrity (SI) ........................................................................................... 329
13.17.2.1. Control Enhancement for Flaw Remediation ................................................................ 331 13.17.2.1.1. Control Enhancement SI-2 (2) ................................................................................... 331 13.17.3. Malicious Code Protection (SI-3)................................................................................... 332 13.17.3.1. Control Enhancements for Malicious Code Protection ................................................. 334 13.17.3.1.1. Control Enhancement SI-3 (1) ................................................................................... 334 13.17.3.1.2. Control Enhancement SI-3 (2) ................................................................................... 335 13.17.3.1.3. Control Enhancement SI-3 (3) ................................................................................... 335 13.17.4. Information System Monitoring Tools & Techniques (SI-4)........................................... 336 13.17.4.1. Control Enhancements for Information System Monitoring Tools & Techniques ......... 338 13.17.4.1.1. Control Enhancement SI-4 (2) ................................................................................... 338 13.17.4.1.2. Control Enhancement SI-4 (4) ................................................................................... 338 13.17.4.1.3. Control Enhancement SI-4 (5) ................................................................................... 339 13.17.4.1.4. Control Enhancement SI-4 (6) ................................................................................... 340 13.17.5. 13.17.6. 13.17.7. Security Alerts & Advisories (SI-5)................................................................................. 341 Security Functionality Verification (SI-6) ....................................................................... 343 Software & Information Integrity (SI-7) ........................................................................ 343
13.17.7.1. Control Enhancement for Software & Information Integrity ........................................ 344 13.17.7.1.1. Control Enhancement SI-7 (1) ................................................................................... 344 13.17.8. 13.17.9. Spam Protection (SI-8) .................................................................................................. 345 Information Input Restrictions (SI-9)............................................................................. 346 Company Sensitive and Proprietary
Page 16
13.17.10. 13.17.11. 13.17.12. 14.
Information Input Accuracy, Completeness, Validity, and Authenticity (SI-10) ............ 347 Error Handling (SI-11).................................................................................................... 348 Information Output Handling and Retention (SI-12) .................................................... 349
Acronyms .................................................................................................................................................. 351 SYSTEMS SECURITY PLAN ATTACHMENTS ..................................................................................... 352 14.1. ATTACHMENT 1 - [Information Security Policies].......................................................................... 352 14.2. ATTACHMENT 2 - [User Guide] ...................................................................................................... 352 14.3. ATTACHMENT 3 - [e-Authentication Worksheet] .......................................................................... 352 14.4. ATTACHMENT 4 - [PTA/PIA] ........................................................................................................... 352 14.5. ATTACHMENT 5 - [Rules of Behavior]............................................................................................ 352 14.6. ATTACHMENT 6 - [IT Contingency Plan] ........................................................................................ 352 14.7. ATTACHMENT 7 - [Configuration Management Plan] ................................................................... 352 14.8. ATTACHMENT 8 - [Incident Response Plan] .................................................................................. 352 14.9. ATTACHMENT 9 - [CIS Workbook] ................................................................................................. 352
Page 17
List of Tables
Table 1-1. Information System Name and Title ........................................................................................... 23 Table 2-1. Security Categorization............................................................................................................... 23 Table 2-2. Sensitivity Categorization of Information Types ......................................................................... 25 Table 2-3. Security Impact Level ................................................................................................................. 25 Table 2-4. Baseline Security Categorization ................................................................................................ 26 Table 2-5. E-Authentication Questions ....................................................................................................... 26 Table 2-6. E-Authentication Level Determination ....................................................................................... 26 Table 3-1. Information System Owner ........................................................................................................ 27 Table 5-1. Information System Management Point of Contact ................................................................... 27 Table 5-2. Information System Technical Point of Contact.......................................................................... 28 Table 6-1. CSP Internal ISSO (or Equivalent) ............................................................................................... 28 Table 6-2. FedRAMP Appointed ISSO .......................................................................................................... 28 Table 7-1. System Status ............................................................................................................................. 29 Table 8-1. Service Layers Represented in this SSP ...................................................................................... 30 Table 8-2. Leveraged Authorizations ........................................................................................................... 30 Table 9-1. User Roles and Privileges............................................................................................................ 31 Table 10-1. Server Hardware Components ................................................................................................. 33 Table 10-2. Software Components .............................................................................................................. 34 Table 10-3. Network Components .............................................................................................................. 34 Table 10-4. Ports, Protocols, and Services .................................................................................................. 36 Table 11-1. System Interconnections .......................................................................................................... 37 Table 13-1. Summary of Required Security Controls .................................................................................. 41 Table 13-2. Authorized Connections ......................................................................................................... 124
List of Figures
Figure 10-1. Network Diagram .................................................................................................................... 32 Figure 10-2. Data Flow Diagram .................................................................................................................. 36
Page 18
ABOUT THIS DOCUMENT

This document is released in template format. Once populated with content, this document will include detailed information about service provider information security controls.
WHO SHOULD USE THIS DOCUMENT?

This document is intended to be used by service providers who are applying for a Provisional Authorization through the U.S. federal government FedRAMP program. U.S. federal agencies may want to use it to document information systems security plans that are not part of the FedRAMP program. Other uses of this template include using it to document organizational information security controls for the purpose of creating a plan to manage a large information security infrastructure. Complex and sophisticated systems are difficult to manage without a documented understanding of how the infrastructure is architected.
HOW THIS DOCUMENT IS ORGANIZED

This document is divided into six sections and includes <number> attachments. Most sections include subsections. Section 1 identifies the system. Section 2 describes the system categorization in accordance with FIPS 199. Section 3 identifies the system owner and provides contact information. Section 4 identifies the authorizing official. Section 5 identifies other designated contacts. Section 6 identifies the assignment of security responsibility. Section 7 identifies the operational status of the information system. Section 8 identifies the type of information system. Section 9 describes the function and purpose of the information system. Section 10 describes the information system environment. Section 11 identifies interconnections between other information systems. Section 12 describes laws and regulations related to operations of the information system.
Page 19
Section 13 provides an in-depth description of how each security control is implemented.
CONVENTIONS USED IN THIS DOCUMENT

This document uses the following typographical conventions: Italic Italics are used for email addresses, security control assignments parameters, and formal document names. Italic blue in a box Italic blue text in a blue box indicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Blue bold text in brackets indicates a user defined variable that should be replaced with a specific name. Once the text has been replaced, the brackets should be removed. Notes Notes are found between parallel lines and include additional information that may be helpful to the users of this template. Note: This is a note.
Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. Sans Serif Gray Sans Serif gray text is used for examples.
HOW TO CONTACT US
If you have questions about FedRAMP, or if you have technical questions about this document including how to use it, write to:
Page 20
info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov.
Page 21
SYSTEM SECURITY PLAN APPROVALS

Cloud Service Provider Signatures
x
<Name> <Title> <Cloud Service Provider>
<Date>
<Date>
<Date>
Page 22
1. INFORMATION SYSTEM NAME/TITLE

This System Security Plan provides an overview of the security requirements for the <Information System Name> (<Information System Abbreviation>) and describes the controls in place or planned for implementation to provide a level of security appropriate for the information to be transmitted, processed or stored by the system. Information security is an asset vital to our critical infrastructure and its effective performance and protection is a key component of our national security program. Proper management of information technology systems is essential to ensure the confidentiality, integrity and availability of the data transmitted, processed or stored by the <Information System Name> information system. The security safeguards implemented for the <Information System Name> system meet the policy and control requirements set forth in this System Security Plan. All systems are subject to monitoring consistent with applicable laws, regulations, agency policies, procedures and practices.
Table 1-1. Information System Name and Title Unique Identifier Information System Name Information System Abbreviation
2. INFORMATION SYSTEM CATEGORIZATION

The overall information system sensitivity categorization is noted in the table that follows.
Table 2-1. Security Categorization Low Moderate High
2.1. INFORMATION TYPES

This section describes how the information types used by the information system are categorized for confidentiality, integrity, and availability sensitivity levels. The following tables identify the information types that are input, stored, processed, and/or output from <Information System Name>. The selection of the information types is based on guidance provided by OMB Federal Enterprise Architecture Program Management Office Business Reference Model 2.0, and FIPS Pub 199, Standards for Security Categorization of Federal Information and Information Systems which is based on NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories.
Page 23
The tables also identify the security impact levels for confidentiality, integrity, and availability for each of the information types expressed as low, moderate, or high. The security impact levels are based on the potential impact definitions for each of the security objectives (i.e., confidentiality, integrity, and availability) discussed in NIST SP 800-60 and FIPS Pub 199. The potential impact is low if - The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. - A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. The potential impact is moderate if - The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. - A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. The potential impact is high if - The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. - A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.
Page 24
Instruction: Record your information types in the table that follow. Record the sensitivity level for Confidentiality, Integrity, and Availability as High, Moderate, or Low. Add more rows as needed to add more information types. Use NIST SP 800-60 Guide for Mapping Types of Information and Systems to Security Categories, Volumes I & II, Revision 1 for guidance.
Note: The information types found in NIST SP 800-60, Volumes I and II Revision 1 are the same information types found in the Federal Enterprise Architecture (FEA) Consolidated Reference Model.
Table 2-2. Sensitivity Categorization of Information Types Information Type Confidentiality Integrity Availability
2.2. SECURITY OBJECTIVES CATEGORIZATION (FIPS 199)

Based on the information provided in Table 2-2, Information Types, for the <Information System Name> default to the high-water mark for the noted Information Types as identified in the table below.
Table 2-3. Security Impact Level Security Objective Confidentiality Integrity Availability Low, Moderate or High
Note: Please refer to FIPS PUB 199 Standards for Security Categorization of Federal Information and Information Systems.
Through review and analysis it has been determined that the baseline security categorization for the <Information System Name> system is listed in the table that follows.
Page 25
Table 2-4. Baseline Security Categorization <Information System Name> Security Categorization Low, Moderate or High
Using this categorization, in conjunction with the risk assessment and any unique security requirements, we have established the security controls for this system, as detailed in this SSP.
2.3. E-AUTHENTICATION DETERMINATION (E-AUTH)

The information system e-Authentication Determination is described in the table that follows.
Table 2-5. E-Authentication Questions Yes No E-Authentication Question Does the system require authentication via the Internet? Is data being transmitted over the Internet via browsers? Do users connect to the system from over the Internet?
Instruction: Any information system that has a No response to any one of the three questions does not need an E-Authentication risk analysis or assessment. For a system that has a "Yes" response to all of the questions, complete the E-Authentication Plan (a template is available).
Note: Please refer to OMB Memo M-04-04 E-Authentication Guidance for Federal Agencies for more information on e-Authentication.
The summary E-Authentication Level is recorded in the table that follows.

Table 2-6. E-Authentication Level Determination E-Authentication Determination System Name System Owner Assurance Level Date Approved
Page 26
3. INFORMATION SYSTEM OWNER

The following individual is identified as the system owner or functional proponent/advocate for this system.
Table 3-1. Information System Owner Name Title Company / Organization Address Phone Number Email Address
4. AUTHORIZING OFFICIAL
The Authorizing Official (AO) or Designated Approving Authority (DAA) for this information system is the Federal Risk Authorization Management Program (FedRAMP), Joint Authorization Board (JAB) as comprised of member representatives from the General Services Administration (GSA), Department of Defense (DOD) and Department of Homeland Security (DHS).
5. OTHER DESIGNATED CONTACTS

The following individual(s) identified below possess in-depth knowledge of this system and/or its functions and operation.
Table 5-1. Information System Management Point of Contact Name Title Company / Organization Address Phone Number
Page 27
<Information System Name> System Security Plan Version <0.00> / <Date> Email Address
Table 5-2. Information System Technical Point of Contact Name Title Company / Organization Address Phone Number Email Address
Instruction: Add more tables as needed.
6. ASSIGNMENT OF SECURITY RESPONSIBILITY

The Information System Security Officers (ISSO), or their equivalent, identified below, have been appointed in writing and are deemed to have significant cyber and operational role responsibilities.
Table 6-1. CSP Internal ISSO (or Equivalent) Name Title Company / Organization Address Phone Number Email Address
Table 6-2. FedRAMP Appointed ISSO Name Title FedRAMP ISSO
Page 28
<Information System Name> System Security Plan Version <0.00> / <Date> FedRAMP Address Phone Number Email Address 1275 First Street, NE, Washington, DC, 20002, Room 1180
7. INFORMATION SYSTEM OPERATIONAL STATUS

The system is currently in the life-cycle phase noted in the table that follows.
Table 7-1. System Status System Status Operational Under Development Major Modification Other The system is operating and in production. The system is being designed, developed, or implemented The system is undergoing a major change, development, or transition. Explain:
Instruction: Select as many status indicators that apply. If more than one status is selected, list which components of the system are covered under each status indicator.
8. INFORMATION SYSTEM TYPE

The <Information System Name> makes use of unique managed service provider architecture layer(s).
8.1. CLOUD SERVICE MODEL

Information systems, particularly those based on cloud architecture models, are made up of different service layers. The layers of the <Information System Name> that are defined in this SSP, and are not leveraged by any other Provisional Authorizations, are indicated in the table that follows. Instruction: Check all layers that apply.
Page 29
<Information System Name> System Security Plan Version <0.00> / <Date> Table 8-1. Service Layers Represented in this SSP Service Provider Architecture Layers Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Other Major Application Major Application General Support System Explain:
Note: Please refer to NIST SP 800-145 for information on cloud computing architecture models.
8.2. LEVERAGED PROVISIONAL AUTHORIZATIONS

Instruction: The FedRAMP program qualifies different service layers for Provisional Authorizations. One, or multiple service layers, can be qualified in one System Security Plan. See the section on Use Cases in Guide to Understanding FedRAMP for more information. If a lower level layer has been granted a Provisional Authorization, and another higher level layer represented by this SSP plans to leverage a lower layers Provisional Authorization, this System Security Plan must clearly state that intention. If an information system does not leverage any pre-existing Provisional Authorizations, write None in the first column of the table that follows. Add as many rows as necessary in the table that follows. The <Information System Name> <plans to/does not plan to> leverage a pre-existing Provisional Authorization. Provisional Authorizations leveraged by this <Information System Name> are noted in the table that follows.
Table 8-2. Leveraged Authorizations Information System Name Service Provider Owner Date Granted
9. GENERAL SYSTEM DESCRIPTION

This section includes a general description of the <Information System Name>.
Page 30
9.1. SYSTEM FUNCTION OR PURPOSE

Instruction: In the space that follows, describe the purpose and functions of this system.
9.2. INFORMATION SYSTEM COMPONENTS AND BOUNDARIES

Instruction: In the space that follows, describe the information systems major components, inter-connections, and boundaries in sufficient detail that accurately depicts the authorization boundary for the information system. Formal names of components as they are known at the service provider organization in functional specs, configuration guides, other documents, and live configurations should be named here and described. Please ensure that the discussion on boundaries is consistent with the network diagram shown in Section 9.4. Please see Guide to Understanding FedRAMP for more information.
9.3. TYPES OF USERS

All users have their employee status categorized with a sensitivity level in accordance with PS-2. Employees (or contractors) of service providers are considered Internal Users. All other users are considered External Users. User privileges (authorization permission after authentication takes place) are described in the table that follows. Instruction: For an External User, please write Not Applicable in the Sensitivity Level Column. Please include systems administrators and database administrators as a role types. (Also include web server administrators, network administrators, and firewall administrators if these individuals have the ability to configure a device or host that could impact the CSP service offering.) Add additional rows if necessary.
Table 9-1. User Roles and Privileges Role Internal or External Sensitivity Level Authorized Privileges and Functions Performed
Page 31
<Information System Name> System Security Plan Version <0.00> / <Date> Authorized Privileges and Functions Performed
Role
Internal or External
Sensitivity Level
Note: User roles typically align with Active Directory, LDAP, Role-based Access Controls (RBAC), NIS and UNIX groups, and/or UNIX netgroups.
There are currently <number> of internal users and <number> of external users. Within one year, it is anticipated that there will be <number> of internal users and <number> of external users.
9.4. NETWORK ARCHITECTURE

Instruction: Insert a network architectural diagram in the space that follows. Ensure that the following items are labeled on the diagram: hostnames, DNS servers, authentication and access control servers, directory servers, firewalls, routers, switches, database servers, major applications, Internet connectivity providers, telecom circuit numbers, and network numbers/VLANs. If necessary, include multiple network diagrams. The following architectural diagram(s) provides a visual depiction of the major hardware components that constitute <Information System Name>.
<insert diagram>
Figure 10-1. Network Diagram
10. SYSTEM ENVIRONMENT

Instruction: In the space that follows, provide a general description of the technical system environment. Include information about all system environments that are used, e.g. production environment, test environment, staging or QA environments.
Page 32
10.1.1.
Hardware Inventory
The following table lists the principal server hardware components for <Information System Name>.
Instruction: Please include server hardware and any major storage components in this table. The first three rows are sample entries. If your service offering does not include hardware because you are leveraging all hardware from a pre-existing Provisional Authorization, write None in the first column. Add additional rows as needed.
Table 10-1. Server Hardware Components Hostname Make Model and Firmware SilverEdge M710, 4.6ios SilverEdge M610, 4.6ios iSCSI SAN Storage Location Components that Use this Device AppOne, EAuthApp
hostname1.com
Company
Dallas, Rm. 6, Rack 4
hostname2.com
Company
Datacenter2, Rack 7
VMs 1-50
Not Applicable
Company
Bldg 4, Rm 7
SAN Storage
Note: A complete and detailed list of the system hardware and software inventory is required per NIST SP 800-53, Rev 3 CM-2.
10.1.2.
Software Inventory
The following table lists the principle software components for <Information System Name>. Instruction: Please include any middleware, databases, or secure file transfer applications in this table. The first three rows are sample entries. The first three rows are sample entries. Add additional rows as needed.
Page 33
Table 10-2. Software Components Hostname Function Version Patch Level Virtual (Yes / No) No
hostname1.com
Physical Host for Virtual Infrastructure
XYZi.4.x vSphere
Update 1
hostname2.com
Virtual Machine Application Server Windows 2003 Server
SP2
Yes
hostname3.com
Virtual Database SQL Server
6.4.22 build 7
SP1
Yes
10.1.3.
Network Inventory
The following table lists the principle network devices and components for <Information System Name>. Instruction: Please include any switches, routers, hubs, and firewalls that play a role in protecting the information system, or that enable the network to function properly. The first three rows are sample entries. If all network devices and components are leveraged from a preexisting Provisional Authorization, write Leveraged in the first column. Add additional rows as needed.
Table 10-3. Network Components Hostname Make Model IP Address Function
router-dallas
RouterCo
2800
192.168.0.1
router
switch-1
SwitchCo
EZSX55W
10.5.3.1
switch
fw.yourcompany.com
FirewallCo
21400, R71.x
192.168.0.2
firewall
Page 34
<Information System Name> System Security Plan Version <0.00> / <Date> Hostname Make Model IP Address Function
Page 35
10.1.4.
Data Flow
Instruction: In the space that follows, describe the flow of data in and out of system boundaries and insert a data flow diagram. See Guide to Understanding FedRAMP for a dataflow example. If necessary, include multiple data flow diagrams.
<insert diagram>
Figure 10-2. Data Flow Diagram
10.1.5.
Ports, Protocols and Services
The table below lists the Ports, Protocols, and Services enabled in this information system. TCP ports are indicated with a T and UDP ports are indicated with a U. Instruction: In the column labeled Used By please indicate the components of the information system that make use of the ports, protocols, and services. In the column labeled Purpose indicate the purpose for the service (e.g. system logging, HTTP redirector, load balancing). This table should be consistent with CM-6 and CM-7. You must fill out this table, even if you are leveraging a pre-existing Provisional Authorization. Add more rows as needed.
Table 10-4. Ports, Protocols, and Services Ports (T or U) Protocols Services Purpose Used By
Page 36
<Information System Name> System Security Plan Version <0.00> / <Date> Ports (T or U) Protocols Services Purpose Used By
11. SYSTEM INTERCONNECTIONS

Instruction: List all interconnected systems. Provide the IP address and interface identifier (ie0, ie1, ie2) for the CSP system that provides the connection. Name the external organization and the IP address of the external system. Indicate how the connection is being secured. For Connection Security indicate how the connection is being secured. For Data Direction, indicate which direction the packets are flowing. For Information Being Transmitted, describe what type of data is being transmitted. If a dedicated telecom line is used, indicate the circuit number. Add additional rows as needed. This table should be consistent with CA-3.
Table 11-1. System Interconnections External Organization Name and IP Address of System Connection Security (IPSec VPN, SSL, Certificates, Secure File Transfer etc.) Data Direction (incoming, outgoing, or both)
CSP IP Address and Interface
External Point of Contact and Phone Number
Information Being Transmitted
Ports or Circuit #
Page 37
<Information System Name> System Security Plan Version <0.00> / <Date> External Organization Name and IP Address of System
CSP IP Address and Interface
External Point of Contact and Phone Number
Connection Security (IPSec VPN, SSL, Certificates, Secure File Transfer etc.)
Data Direction (incoming, outgoing, or both)
Information Being Transmitted
Ports or Circuit #
Page 38
12. APPLICABLE LAWS AND REGULATIONS

12.1. APPLICABLE LAWS
The following laws and regulations apply to the information system: Computer Fraud and Abuse Act [PL 99-474, 18 USC 1030] E-Authentication Guidance for Federal Agencies [OMB M-04-04] Federal Information Security Management Act (FISMA) of 2002 [Title III, PL 107-347] Freedom of Information Act As Amended in 2002 [PL 104-232, 5 USC 552] Guidance on Inter-Agency Sharing of Personal Data Protecting Personal Privacy [OMB M-01-05] Homeland Security Presidential Directive-7, Critical Infrastructure Identification, Prioritization, and Protection [HSPD-7] Internal Control Systems [OMB Circular A-123] Management of Federal Information Resources [OMB Circular A-130] Managements Responsibility for Internal Control [OMB Circular A-123, Revised 12/21/2004] Privacy Act of 1974 as amended [5 USC 552a] Protection of Sensitive Agency Information [OMB M-06-16] Records Management by Federal Agencies [44 USC 31] Responsibilities for the Maintenance of Records About Individuals by Federal Agencies [OMB Circular A-108, as amended] Security of Federal Automated Information Systems [OMB Circular A-130, Appendix III]
12.2. APPLICABLE STANDARDS AND GUIDANCE

The following standards and guidance apply to the information system: A NIST Definition of Cloud Computing [NIST SP 800-145] Computer Security Incident Handling Guide [NIST SP 80061, Revision 1] Contingency Planning Guide for Federal Information Systems [NIST SP 800-34, Revision 1] Engineering Principles for Information Technology Security (A Baseline for Achieving Security) [NIST SP 800-27, Revision A] Guide for Assessing the Security Controls in Federal Information Systems [NIST SP 80053A] Guide for Developing Security Plans for Federal Information Systems [NIST SP 800-18, Revision 1] Guide for Developing the Risk Management Framework to Federal Information Systems:
Page 39
A Security Life Cycle Approach [NIST SP 800-37, Revision 1] Guide for Mapping Types of Information and Information Systems to Security Categories [NISP SP 800-60, Revision 1] Guide for Security-Focused Configuration Management of Information Systems [NIST SP 800-128] Information Security Continuous Monitoring for Federal Information Systems and Organizations [NIST SP 800-137] Minimum Security Requirements for Federal Information and Information Systems [FIPS Publication 200] Personal Identity Verification (PIV) of Federal Employees and Contractors [FIPS Publication 201-1] Recommended Security Controls for Federal Information Systems [NIST SP 800-53, Revision 3] Risk Management Guide for Information Technology Systems [NIST SP 800-30] Security Considerations in the System Development Life Cycle [NIST SP 800-64, Revision 2] Security Requirements for Cryptographic Modules [FIPS Publication 140-2] Standards for Security Categorization of Federal Information and Information Systems [FIPS Publication 199] Technical Guide to Information Security Testing and Assessment [NIST SP 800-115] Note: All NIST Computer Security Publications can be found at the following URL: http://csrc.nist.gov/publications/PubsSPs.html
13. MINIMUM SECURITY CONTROLS

Security controls must meet minimum security control baseline requirements. There are security control baseline requirements for management controls, operational controls, and technical controls. Management security controls identify the management safeguards and countermeasures in-place or planned for <Information System Name>. Management Controls are those safeguards and countermeasures that focus on the management of risk and the management of the information security system. They are actions that are performed primarily to support information system security management decisions. Operational security controls identify the operational safeguards and countermeasures in-place or planned for <Information System Name>. Operational controls are those safeguards and countermeasures that are primarily implemented and executed by people as opposed to systems and technology. Technical security controls identify the technical safeguards and countermeasures in-place or
Page 40
planned for <Information System Name>. Technical Controls are those safeguards and countermeasures that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system. Upon categorizing a system as Low, Moderate, or High sensitivity in accordance with FIPS 199, the appropriate security control baseline standards are applied. Some of the control baselines have enhanced controls which are indicated in parenthesis. Security controls that are representative of the sensitivity of <Information System Name> are described in the sections that follow. Security controls that are designated as Not Selected or Withdrawn by NIST are not described unless they have additional FedRAMP controls. Guidance on how to describe the implemented standard can be found in NIST 800-53, Rev 3. Control enhancements are marked in parenthesis in the sensitivity columns. Systems that are categorized as FIPS 199 Low use the controls designated as Low and systems categorized as FIPS 199 Moderate use the controls designated as Moderate. A summary of which security standards pertain to which sensitivity level is found in the table that follows. If a security control has an additional requirement for FedRAMP that is above and beyond the NIST 800-53, Rev 3 standard, the additional requirement is noted in the right-hand column.
Table 13-1. Summary of Required Security Controls Sensitivity Level ID Control Description Low Mod Delta from NIST 800-53 r3
Access Control AC-1 AC-2 Access Control Policy & Procedures Account Management AC-1 AC-2 AC-1 AC-2, (1) (2) (3) (4) (7) AC-3 (3) AC-4 AC-5 AC-6 (1) (2) AC-7 AC-8 Not Selected No Yes
AC-3 AC-4 AC-5 AC-6 AC-7 AC-8 AC-9
Access Enforcement Information Flow Enforcement Separation of Duties Least Privilege Unsuccessful Login Attempts System Use Notification Previous Logon Notification
AC-3 Not Selected Not Selected Not Selected AC-7 AC-8 Not Selected
Yes No No Yes No Yes No
Page 41
<Information System Name> System Security Plan Version <0.00> / <Date> Sensitivity Level ID Control Description Low Mod AC-10 AC-11 (1) --AC-14 (1) Delta from NIST 800-53 r3 Yes Yes No No No
AC-10 AC-11 AC-12 AC-13 AC-14
Concurrent Session Control Session Lock Withdrawn by NIST Withdrawn by NIST Permitted Actions w/out Identification or Authentication Withdrawn by NIST Security Attributes Remote Access
Not Selected Not Selected --AC-14
AC-15 AC-16 AC-17
-Not Selected AC-17
-AC-16 AC-17 (1) (2) (3) (4) (5) (7) (8) AC-18 (1) (2) AC-19 (1) (2) (3) AC-20 (1) (2) Not Selected
No Yes Yes
AC-18 AC-19 AC-20 AC-21
Wireless Access Access Control for Mobile Devices Use of External Information Systems User-Based Collaboration and Information Sharing Publicly Accessible Content
AC-18 AC-19 AC-20 Not Selected
Yes Yes No No
AC-22
AC-22 Awareness and Training
AC-22
No
AT-1
Security Awareness & Training Policy and Procedures Security Awareness Security Training Security Training Records Contacts with Security Groups and Associations
AT-1
AT-1
No
AT-2 AT-3 AT-4 AT-5
AT-2 AT-3 AT-4 Not Selected
AT-2 AT-3 AT-4 Not Selected
No No No No
Audit and Accountability
Page 42
<Information System Name> System Security Plan Version <0.00> / <Date> Sensitivity Level ID Control Description Low Mod AU-1 Delta from NIST 800-53 r3 No
AU-1
Audit and Accountability Policy and Procedures Auditable Events Content of Audit Records Audit Storage Capacity Response to Audit Processing Failures Audit Review, Analysis, and Reporting Audit Reduction and Report Generation Time Stamps Protection of Audit Information Non-repudiation Audit Record Retention Audit Generation Monitoring for Information Disclosure Session Audit
AU-1
AU-2 AU-3 AU-4 AU-5 AU-6 AU-7 AU-8 AU-9 AU-10 AU-11 AU-12 AU-13 AU-14
AU-2 AU-3 AU-4 AU-5 AU-6 Not Selected AU-8 AU-9 AU-10 AU-11 AU-12 Not Selected Not Selected Security Assessment and Authorization
AU-2 (3) (4) AU-3 (1) AU-4 AU-5 AU-6 (1) (3) AU-7 (1) AU-8 (1) AU-9 (2) AU-10 (5) AU-11 AU-12 Not Selected Not Selected
Yes Yes No No Yes No Yes Yes Yes Yes No No No
CA-1
Security Assessment and Authorization Policies & Procedures Security Assessments Information System Connections Withdrawn by NIST Plan of Action & Milestones Security Authorization
CA-1
CA-1
No
CA-2 CA-3 CA-4 CA-5 CA-6
CA-2 (1) CA-3 -CA-5 CA-6
CA-2 (1) CA-3 -CA-5 CA-6
Yes No No No No
Page 43
<Information System Name> System Security Plan Version <0.00> / <Date> Sensitivity Level ID Control Description Low Mod CA-7 (2) Delta from NIST 800-53 r3 Yes
CA-7
Continuous Monitoring
CA-7 Configuration Management
CM-1
Configuration Management Policy and Procedures Baseline Configuration Configuration Change Control Security Impact Analysis Access Restrictions for Change Configuration Settings Least Functionality Information System Component Inventory Configuration Management Plan
CM-1
CM-1 CM-2 (1) (3) (5) CM-3 (2) CM-4 CM-5 (1) (5) CM-6 (1) (3) CM-7 (1) CM-8 (1) (3) (5) CM-9
No Yes Yes No Yes Yes Yes Yes No
CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 CM-8 CM-9
CM-2 Not Selected CM-4 Not Selected CM-6 CM-7 CM-8 Not Selected Contingency Planning
CP-1 CP-2 CP-3 CP-4 CP-5 CP-6 CP-7 CP-8 CP-9
Contingency Planning Policy & Procedures Contingency Plan Contingency Training Contingency Plan Testing & Exercises Withdrawn by NIST Alternate Storage Site Alternate Processing Site Telecommunications Services Information System Backup
CP-1 CP-2 CP-3 CP-4 -Not Selected Not Selected Not Selected CP-9
CP-1 CP-2 (1) (2) CP-3 CP-4 (1) -CP-6 (1) (3) CP-7 (1) (2) (3) (5) CP-8 (1) (2) CP-9 (1) (3)
No Yes No Yes No No Yes Yes Yes
Page 44
<Information System Name> System Security Plan Version <0.00> / <Date> Sensitivity Level ID Control Description Low Mod CP-10 (2) (3) Delta from NIST 800-53 r3 Yes
CP-10
Information System Recovery & Reconstitution
CP-10
Identification and Authentication IA-1 Identification and Authentication Policy & Procedures Identification and Authentication (Organizational Users) Device Identification and Authentication Identifier Management Authenticator Management IA-1 IA-1 No
IA-2
IA-2 (1)
IA-2 (1) (2) (3) (8)
Yes
IA-3 IA-4 IA-5
Not Selected IA-4 IA-5 (1)
IA-3 IA-4 (4) IA-5 (1) (2) (3) (6) (7) IA-6 IA-7 IA-8
Yes Yes Yes
IA-6 IA-7 IA-8
Authenticator Feedback Cryptographic Module Authentication Identification and Authentication (NonOrganizational Users)
IA-6 IA-7 IA-8
No No No
Incident Response IR-1 IR-2 IR-3 IR-4 IR-5 IR-6 IR-7 IR-8 Incident Response Policy and Procedures Incident Response Training Incident Response Testing & Exercises Incident Handling Incident Monitoring Incident Reporting Incident Response Assistance Incident Response Plan Maintenance IR-1 IR-2 Not Selected IR-4 IR-5 IR-6 IR-7 IR-8 IR-1 IR-2 IR-3 IR-4 (1) IR-5 IR-6 (1) IR-7 (1) (2) IR-8 No No Yes Yes No No Yes Yes
Page 45
<Information System Name> System Security Plan Version <0.00> / <Date> Sensitivity Level ID Control Description Low Mod MA-1 MA-2 (1) MA-3 (1) (2) (3) MA-4 (1) (2) MA-5 MA-6 Delta from NIST 800-53 r3 No No Yes No No Yes
MA-1 MA-2 MA-3 MA-4 MA-5 MA-6
System Maintenance Policy & Procedures Controlled Maintenance Maintenance Tools Non-Local Maintenance Maintenance Personnel Timely Maintenance
MA-1 MA-2 Not Selected MA-4 MA-5 Not Selected
Media Protection MP-1 MP-2 MP-3 MP-4 MP-5 MP-6 Media Protection Policy and Procedures Media Access Media Marking Media Marking Media Storage Media Sanitization MP-1 MP-2 Not Selected Not Selected Not Selected MP-6 Physical and Environmental Protection PE-1 Physical and Environmental Protection Policy and Procedures Physical Access Authorizations Physical Access Control Access Control for Transmission Mission Access Control for Output Devices Monitoring Physical Access Visitor Control Access Records PE-1 PE-1 No MP-1 MP-2 (1) MP-3 MP-4 (1) MP-5 (2) (4) MP-6 (4) No Yes No Yes Yes Yes
PE-2 PE-3 PE-4 PE-5 PE-6 PE-7 PE-8
PE-2 PE-3 Not Selected Not Selected PE-6 PE-7 PE-8
PE-2 PE-3 PE-4 PE-5 PE-6 (1) PE-7 (1) PE-8
No No No No No No No
Page 46
<Information System Name> System Security Plan Version <0.00> / <Date> Sensitivity Level ID Control Description Low Mod PE-9 PE-10 PE-11 PE-12 PE-13 (1) (2) (3) PE-14 PE-15 PE-16 PE-17 PE-18 Not Selected Delta from NIST 800-53 r3 No Yes No No No Yes No No Yes No No
PE-9 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-16 PE-17 PE-18 PE-19
Power Equipment and Power Cabling Emergency Shutoff Emergency Power Emergency Lighting Fire Protection Temperature and Humidity Controls Water Damage Protection Delivery and Removal Alternate Work Site Location of Information System Components Information Leakage
Not Selected Not Selected Not Selected PE-12 PE-13 PE-14 PE-15 PE-16 Not Selected Not Selected Not Selected Planning
PL-1 PL-2 PL-3 PL-4 PL-5 PL-6
Security Planning Policy and Procedures System Security Plan Withdrawn by NIST Rules of Behavior Privacy Impact Assessment Security-Related Activity Planning
PL-1 PL-2 -PL-4 PL-5 Not Selected
PL-1 PL-2 -PL-4 PL-5 PL-6
No No No No No No
Personnel Security PS-1 PS-2 PS-3 Personnel Security Policy and Procedures Position Categorization Personnel Screening PS-1 PS-2 PS-3 PS-1 PS-2 PS-3 No No No
Page 47
<Information System Name> System Security Plan Version <0.00> / <Date> Sensitivity Level ID Control Description Low Mod PS-4 PS-5 PS-6 PS-7 PS-8 Delta from NIST 800-53 r3 No Yes No No No
PS-4 PS-5 PS-6 PS-7 PS-8
Personnel Termination Personnel Transfer Access Agreements Third-Party Personnel Security Personnel Sanctions
PS-4 PS-5 PS-6 PS-7 PS-8 Risk Assessment
RA-1 RA-2 RA-3 RA-4 RA-5
Risk Assessment Policy and Procedures Security Categorization Risk Assessment Withdrawn by NIST Vulnerability Scanning
RA-1 RA-2 RA-3 -RA-5
RA-1 RA-2 RA-3 -RA-5 (1) (2) (3) (6) (9)
No No No No Yes
System and Services Acquisition SA-1 System Services Acquisition Policy and Procedures Allocation of Resources Life Cycle Support Acquisitions Information System Documentation Software Usage Restrictions User Installed Software Security Engineering Principles External Information System Services SA-1 SA-1 No
SA-2 SA-3 SA-4 SA-5 SA-6 SA-7 SA-8 SA-9
SA-2 SA-3 SA-4 SA-5 SA-6 SA-7 Not Selected SA-9
SA-2 SA-3 SA-4 (1) (4) (7) SA-5 (1) (3) SA-6 SA-7 SA-8 SA-9 (1)
No No Yes No No No No Yes
Page 48
<Information System Name> System Security Plan Version <0.00> / <Date> Sensitivity Level ID Control Description Low Mod SA-10 SA-11 SA-12 Not Selected Not Selected Delta from NIST 800-53 r3 No Yes Yes No No
SA-10 SA-11 SA-12 SA-13 SA-14
Developer Configuration Management Developer Security Testing Supply Chain Protection Trustworthiness Critical Information Systems Components
Not Selected Not Selected Not Selected Not Selected Not Selected
System and Communications Protection SC-1 System and Communications Protection Policy and Procedures Application Partitioning Security Function Isolation Information in Shared Resources Denial of Service Protection Resource Priority Boundary Protection SC-1 SC-1 No
SC-2 SC-3 SC-4 SC-5 SC-6 SC-7
Not Selected Not Selected Not Selected SC-5 Not Selected SC-7
SC-2 Not Selected SC-4 SC-5 SC-6 SC-7 (1) (2) (3) (4) (5) (7) (8) (12) (13) (18) SC-8 (1) SC-9 (1) SC-10 SC-11 SC-12 (2) (5)
No No No Yes Yes Yes
SC-8 SC-9 SC-10 SC-11 SC-12
Transmission Integrity Transmission Confidentiality Network Disconnect Trusted Path Cryptographic Key Establishment and Management Use of Cryptography Public Access Protections
Not Selected Not Selected Not Selected Not Selected SC-12
No Yes No Yes Yes
SC-13 SC-14
SC-13 SC-14
SC-13 (1) SC-14
Yes No
Page 49
<Information System Name> System Security Plan Version <0.00> / <Date> Sensitivity Level ID Control Description Low Mod SC-15 Not Selected SC-17 SC-18 SC-19 SC-20 (1) Delta from NIST 800-53 r3 Yes No Yes No No No
SC-15 SC-16 SC-17 SC-18 SC-19 SC-20
Collaborative Computing Devices Transmission of Security Attributes Public Key Infrastructure Certificates Mobile Code Voice Over Internet Protocol (VOIP) Secure Name/Address Resolution Service (Authoritative Source) Secure Name/Address Resolution Service (Recursive or Caching Resolver) Architecture and Provisioning for Name / Address Resolution Service Session Authenticity Fail in Known State Thin Nodes Honeypots Operating System-Independent Applications Protection of Information at Rest Heterogeneity Virtualization Techniques Covert Channel Analysis Information System Partitioning Transmission Preparation Integrity Non-Modifiable Executable Programs
SC-15 Not Selected Not Selected Not Selected Not Selected SC-20 (1)
SC-21
Not Selected
SC-21
Yes
SC-22
Not Selected
SC-22
No
SC-23 SC-24 SC-25 SC-26 SC-27 SC-28 SC-29 SC-30 SC-31 SC-32 SC-33 SC-34
Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected
SC-23 Not Selected Not Selected Not Selected Not Selected SC-28 Not Selected SC-30 Not Selected SC-32 Not Selected Not Selected
No No No No No Yes No Yes No No No No
System and Information Integrity
Page 50
<Information System Name> System Security Plan Version <0.00> / <Date> Sensitivity Level ID Control Description Low Mod SI-1 Delta from NIST 800-53 r3 No
SI-1
System and Information Integrity Policy and Procedures Flaw Remediation Malicious Code Protection Information System Monitoring Security Alerts, Advisories, and Directives Security Functionality Verification Software and Information Integrity Spam Protection Information Input Restrictions Information Input Validation Error Handling Information Output Handling and Retention Predictable Failure Prevention
SI-1
SI-2 SI-3 SI-4 SI-5 SI-6 SI-7 SI-8 SI-9 SI-10 SI-11 SI-12 SI-13
SI-2 SI-3 Not Selected SI-5 Not Selected Not Selected Not Selected Not Selected Not Selected Not Selected SI-12 Not Selected
SI-2 (2) SI-3 (1) (2) (3) SI-4 (2) (4) (5) (6) SI-5 SI-6 SI-7 (1) SI-8 SI-9 SI-10 SI-11 SI-12 Not Selected
No No Yes Yes Yes No No No No No No No
Page 51
Instruction: In the sections that follow, please describe the information security control as it is implemented on your system. All controls originate from a system or from a business process. It is important to describe where the control originates from so that it is clear whose responsibility it is to implement, manage, and monitor the control. In some cases, the responsibility is shared by a CSP and by the customer. Use the definitions in the table that follows to indicate where each security control originates from. Note that -1 Controls (AC-1, AU-1, SC-1 etc.) cannot be inherited and must be provided in some way by the service provider.
Control Origination Service Provider Corporate Definition A control that originates from the CSP corporate network. Example DNS from the corporate network provides address resolution services for the information system and the service offering. A unique host based intrusion detection system (HIDs) is available on the service offering platform but is not available on the corporate network. There a scans of the corporate network infrastructure; scans of databases and web based application are system specific. User profiles, policy/audit configurations, enabling/disabling key switches (e.g., enable/disable http or https, etc.), entering an IP range specific to their organization are configurable by the customer. The customer provides a SAML SSO solution to implement two-factor authentication. Security awareness training must be conducted by both the CSP and the customer. A PaaS or SaaS provider inherits PE controls from an IaaS provider.
Service Provider System Specific
A control specific to a particular system at the CSP and the control is not part of the standard corporate controls. A control that makes use of both corporate controls and additional controls specific to a particular system at the CSP. A control where the customer needs to apply a configuration in order to meet the control requirement.
Service Provider Hybrid
Configured by Customer
Provided by Customer
A control where the customer needs to provide additional hardware or software in order to meet the control requirement. A control that is managed and implemented partially by the CSP and partially by the customer. A control that is inherited from another CSP system that has already received a Provisional Authorization.
Shared
Inherited from preexisting Provisional Authorization
Page 52
13.1. ACCESS CONTROL (AC) 13.1.1. Access Control Policy and Procedures Requirements (AC-1)
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls. AC-1 Parameter Requirement: [at least annually]
AC-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) AC-1 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Page 53
13.1.2.
Account Management (AC-2)
The organization manages information system accounts, including: (a) Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary); (b) Establishing conditions for group membership; (c) Identifying authorized users of the information system and specifying access privileges; (d) Requiring appropriate approvals for requests to establish accounts; (e) Establishing, activating, modifying, disabling, and removing accounts; (f) Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts; (g) Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or need-to-know/need-to-share changes; (h) Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users; (i) Granting access to the system based on: (i) a valid access authorization; (ii) intended system usage; and (iii) other attributes as required by the organization or associated missions/business functions; and (j) Reviewing accounts [Assignment: organization-defined frequency]. AC-2j Parameter Requirement: [at least annually]
AC-2 Responsible Role: Parameter AC-2j: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Summary Information
Page 54
<Information System Name> System Security Plan Version <0.00> / <Date> AC-2 Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-2 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Part d
Part e
Part f
Part g
Page 55
<Information System Name> System Security Plan Version <0.00> / <Date> AC-2 What is the solution and how is it implemented? Part h
Part i
Part j
13.1.2.1.
Control Enhancements for Account Management
13.1.2.1.1. Control Enhancement AC-2 (1) AC-2 (1) The organization employs automated mechanisms to support the management of information system accounts.
AC-2 (1) Control Enhancement Summary Information Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-2 (1) What is the solution and how is it implemented?
Page 56
<Information System Name> System Security Plan Version <0.00> / <Date> AC-2 (1) What is the solution and how is it implemented?
13.1.2.1.2. Control Enhancement AC-2 (2) AC-2 (2) The information system automatically terminates temporary and emergency accounts after [Assignment: organization-defined time period for each type of account (temporary and emergency)]. AC-2 (2) Parameter Requirement: [no more than ninety days for temporary and emergency account types]
AC-2 (2) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-2 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 57
13.1.2.1.3. Control Enhancement AC-2 (3) AC-2 (3) The information system automatically disables inactive accounts after [Assignment: organization-defined time period]. AC-2 (3) Parameter Requirement: [ninety days for user accounts]. See additional requirements and guidance. AC-2 (3) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the time period for non-user accounts (e.g., accounts associated with devices). The time periods are approved and accepted by the JAB.
AC-2 (3) Responsible Role: Parameter: Parameter Additional: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid(Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-2 (3) What is the solution and how is it implemented? Control Enhancement Summary Information
13.1.2.1.4. Control Enhancement AC-2 (4) AC-2 (4) The information system automatically audits account creation, modification, disabling, and termination actions and notifies, as required, appropriate individuals.
Page 58
AC-2 (4) Responsible Role:
Control Enhancement Summary Information
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-2 (4) What is the solutions and how is it implemented?
13.1.2.1.5. Control Enhancement AC-2 (7) AC-2 (7) The organization: (a) Establishes and administers privileged user accounts in accordance with a role-based access scheme that organizes information system and network privileges into roles; and (b) Tracks and monitors privileged role assignments.
AC-2 (7) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Enhancement Summary Information
Page 59
<Information System Name> System Security Plan Version <0.00> / <Date> AC-2 (7) Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-2 (7) What is the solution and how is it implemented? Part a Control Enhancement Summary Information
Part b
13.1.3.
Access Enforcement (AC-3)
The information system enforces approved authorizations for logical access to the system in accordance with applicable policy.
AC-3 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Control Summary Information
Page 60
<Information System Name> System Security Plan Version <0.00> / <Date> AC-3 Control Summary Information
Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-3 What is the solution and how is it implemented?
13.1.3.1.
Control Enhancement for Access Enforcement
13.1.3.1.1. Control Enhancement AC-3 (3) AC-3 (3) The information system enforces [Assignment: organization-defined nondiscretionary access control policies] over [Assignment: organization-defined set of users and resources] where the policy rule set for each policy specifies: (a) Access control information (i.e., attributes) employed by the policy rule set (e.g., position, nationality, age, project, time of day); and (b) Required relationships among the access control information to permit access. AC-3 (3) Parameter Requirements: Parameter1: [role-based access control] Parameter2: [all users and resources]
AC-3 (3) Responsible Role: Parameter 1: Parameter 2: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Control Enhancement Summary Information
Page 61
<Information System Name> System Security Plan Version <0.00> / <Date> AC-3 (3) Control Enhancement Summary Information
Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-3 (3) What is the solution and how is it implemented? Part a
Part b
Additional FedRAMP Requirements and Guidance: AC-3 (3) The service provider: (a) Assigns user accounts and authenticators in accordance within service provider's rolebased access control policies; (b) Configures the information system to request user ID and authenticator prior to system access; and (c) Configures the databases containing federal information in accordance with service provider's security administration guide to provide role-based access controls enforcing assigned privileges and permissions at the file, table, row, column, or cell level, as appropriate.
AC-3 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Additional FedRAMP Control Summary Information
Page 62
<Information System Name> System Security Plan Version <0.00> / <Date> AC-3 (3) Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-3 (3) What is the solution and how is it implemented? Part a Additional FedRAMP Control Summary Information
Part b
Part c
13.1.4.
Information Flow Enforcement (AC-4)
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.
AC-4 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Summary Information
Page 63
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-4 What is the solution and how is it implemented?
13.1.5.
The organization:
Separation of Duties (AC-5)
(a) Separates duties of individuals as necessary, to prevent malevolent activity without collusion; (b) Documents separation of duties; and (c) Implements separation of duties through assigned information system access authorizations.
AC-5 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Control Summary Information
Page 64
Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-5 What is the solution and how is it implemented? Part a
Part b
Part c
13.1.6.
Least Privilege (AC-6)
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
AC-6 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Control Summary Information
Page 65
Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-6 What is the solution and how is it implemented?
13.1.6.1.
Control Enhancements for Least Privilege
13.1.6.1.1. Control Enhancement AC-6 (1) AC-6 (1) The organization explicitly authorizes access to [Assignment: organization-defined list of security functions (deployed in hardware, software, and firmware and security-relevant information]. AC-6 (1) Parameter Requirement: See additional requirements and guidance. AC-6 (1) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the list of security functions. The list of functions is approved and accepted by the JAB.
AC-6 (1) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Control Enhancement Summary Information
Page 66
Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA>
AC-6 (1) What is the solution and how is it implemented?
13.1.6.1.2. Control Enhancement AC-6 (2) AC-6 (2) The organization requires that users of information system accounts, or roles, with access to [Assignment: organization-defined list of security functions or security-relevant information], use non-privileged accounts, or roles, when accessing other system functions, and if feasible, audits any use of privileged accounts, or roles, for such functions. AC-6 (2) Parameter Requirement: [all security functions] AC-6 (2) Additional FedRAMP Requirements and Guidance: Guidance: Examples of security functions include but are not limited to: establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters, system programming, system and security administration, other privileged functions.
AC-6 (2) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Control Enhancement Summary Information
Page 67
13.1.7.
Unsuccessful Login Attempts (AC-7)
The information system: (a) Enforces a limit of [Assignment: organization-defined number] consecutive invalid login attempts by a user during [Assignment: organization-defined time period]; and AC-7a Parameter Requirements: Parameter 1: [not more than three] Parameter 2: [fifteen minutes] (b) Automatically [Selection: locks the account/node for an [Assignment: organizationdefined time period]; locks the account/node until released by an administrator; delays next login prompt according to [Assignment: organization-defined delay algorithm]] when the maximum number of unsuccessful attempts is exceeded. The control applies regardless of whether the login occurs via a local or network connection. AC-7b Parameter Requirement: [locks the account/node for thirty minutes]
AC-7 Responsible Role: AC-7a Parameter 1: AC-7a Parameter 2: AC-7b Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Summary Information
Page 68
<Information System Name> System Security Plan Version <0.00> / <Date> AC-7 Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-7 What is the solution and how is it implemented? Part 7a Control Summary Information
Part 7b
13.1.8.
System Use Notification (AC-8)
The information system: (a) Displays an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: (i) users are accessing a U.S. Government information system; (ii) system usage may be monitored, recorded, and subject to audit; (iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and (iv) use of the system indicates consent to monitoring and recording; (b) Retains the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and (c) For publicly accessible systems: (i) displays the system use information when appropriate, before granting further access; (ii) displays references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and (iii)
Page 69
includes in the notice given to public users of the information system, a description of the authorized uses of the system.
AC-8 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-8 What is the solution and how is it implemented? Part a (i, ii, iii, iv) Control Summary Information
Part b
Part c (i, ii, iii)
Additional FedRAMP Requirements and Guidance Requirement 1: The service provider shall determine elements of the cloud environment that require the System Use Notification control. The elements of the cloud environment that require System Use Notification are approved and accepted by the JAB. Requirement 2: The service provider shall determine how System Use Notification is
Page 70
going to be verified and provide appropriate periodicity of the check. The System Use Notification verification and periodicity are approved and accepted by the JAB. Guidance: If performed as part of a Configuration Baseline check, then the % of items requiring setting that are checked and that pass (or fail) check can be provided. Requirement 3: If not performed as part of a Configuration Baseline check, then there must be documented agreement on how to provide results of verification and the necessary periodicity of the verification by the service provider. The documented agreement on how to provide verification of the results are approved and accepted by the JAB.
AC-8 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-8 What is the solution and how is it implemented? Req. 1 Additional FedRAMP Control Summary Information
Req. 2
Req. 3
Page 71
13.1.9.
Concurrent Session Control (AC-10)
The information system limits the number of concurrent sessions for each system account to [Assignment: organization-defined number] AC-10 Parameter Requirement: [one session]
AC-10 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-10 What is the solution and how is it implemented? Control Summary Information
13.1.10.
Session Lock (AC-11)
The information system: (a) Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period]; and AC-11a Parameter Requirement: [fifteen minutes]
Page 72
(b) Retains the session lock until the user reestablishes access using established identification and authentication procedures.
AC-11 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-7 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.1.10.1.
Control Enhancements for Session Lock
13.1.10.1.1. Control Enhancement AC-11 (1) AC-11 (1) The information system session lock mechanism, when activated on a device with a display screen, places a publicly viewable pattern onto the associated display, hiding what was previously visible on the screen.
Page 73
<Information System Name> System Security Plan Version <0.00> / <Date> AC-11 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-11 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.1.11. 14)
The organization:
Permitted Actions w/o Identification or Authentication (AC-
(a) Identifies specific user actions that can be performed on the information system without identification or authentication; and (b) Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification and authentication.
AC-14 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Control Summary Information
Page 74
Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-14 What is the solution and how is it implemented?
13.1.11.1.
Control Enhancements for Permitted Actions w/o Identification or Auth.
13.1.11.1.1. Control Enhancement AC-14(1) The organization permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives.
AC-14(1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Control Enhancement Summary Information
Page 75
<Information System Name> System Security Plan Version <0.00> / <Date> AC-14(1) Control Enhancement Summary Information
AC-14(1) What is the solution and how is it implemented?
13.1.12.
Security Attributes (AC-16)
The information system: Supports and maintains the binding of [Assignment: organizationdefined security attributes] to information in storage, in process, and in transmission. AC-16 Parameter Requirement: See additional requirements and guidance. AC-16 Additional FedRAMP Requirements and Guidance: Requirement: If the service provider offers the capability of defining the security attributes then the security attributes need to be approved and accepted by JAB.
AC-16 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 76
<Information System Name> System Security Plan Version <0.00> / <Date> AC-16 What is the solution and how is it implemented?
13.1.13.
The organization:
Remote Access (AC-17)
(a) Documents allowed methods of remote access to the information system; (b) Establishes usage restrictions and implementation guidance for each allowed remote access method; (c) Monitors for unauthorized remote access to the information system; (d) Authorizes remote access to the information system prior to connection; and (e) Enforces requirements for remote connections to the information system.
AC-17 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-17 What is the solution and how is it implemented? Control Summary Information
Page 77
<Information System Name> System Security Plan Version <0.00> / <Date> AC-17 What is the solution and how is it implemented? Part a
Part b
Part c
Part d
Part e
13.1.13.1.
Control Enhancements for Remote Control
13.1.13.1.1. Control Enhancement AC-17 (1) AC-17 (1) The organization employs automated mechanisms to facilitate the monitoring and control of remote access methods.
AC-17 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Control Enhancement Summary Information
Page 78
Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-17 (1) What is the solution and how is it implemented?
13.1.13.1.2. Control Enhancement AC-17 (2) AC-17 (2) The organization uses cryptography to protect the confidentiality and integrity of remote access sessions.
AC-17 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-17 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 79
13.1.13.1.3. Control Enhancement AC-17 (3) AC-17 (3) The information system routes all remote accesses through a limited number of managed access control points.
AC-17 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-17 (3) What is the solution and how is it implemented? Control Enhancement Summary Information
13.1.13.1.4. Control Enhancement AC-17 (4) AC-17 (4) The organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs and documents the rationale for such access in the security plan for the information system.
AC-17 (4) Control Enhancement Summary Information
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply):
Page 80
<Information System Name> System Security Plan Version <0.00> / <Date> Service Provider Corporate Service Provider System Specific Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-17 (4) What is the solution and how is it implemented?
13.1.13.1.5. Control Enhancement AC-17 (5) AC-17 (5) The organization monitors for unauthorized remote connections to the information system [Assignment: organization-defined frequency], and takes appropriate action if an unauthorized connection is discovered. AC-17 (5) Parameter Requirement: [continuously, real time]
AC-17 (5) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 81
13.1.13.1.6. Control Enhancement AC-17 (7) AC-17 (7) The organization ensures that remote sessions for accessing [Assignment: organization-defined list of security functions and security-relevant information] employ [Assignment: organization-defined additional security measures] and are audited. AC-17 (7) Parameter Requirement: See additional requirements and guidance. AC-17 (7) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the list of security functions and security relevant information. Security functions and the implementation of such functions are approved and accepted by the JAB. Guidance: Security functions include but are not limited to: establishing system accounts; configuring access authorizations; performing system administration functions; and auditing system events or accessing event logs; SSH, and VPN.
Page 82
13.1.13.1.7. Control Enhancement AC-17 (8) AC-17 (8) The organization disables [Assignment: organization-defined networking protocols within the information system deemed to be non-secure] except for explicitly identified components in support of specific operational requirements. AC-17 (8) Parameter Requirements: [tftp, (trivial ftp); X-Windows, Sun Open Windows; FTP; TELNET; IPX/SPX; NETBIOS; BlueTooth; RPC-services, like NIS or NFS; rlogin, rsh, rexec; SMTP (Simple Mail Transfer Protocol); RIP (Routing Information Protocol); DNS (Domain Name Services); UUCP (Unix-Unix Copy Protocol); NNTP (Network News Transfer Protocol); NTP (Network Time Protocol); Peer-to-Peer] AC-17 (8) Additional FedRAMP Requirements and Guidance: Requirement: Networking protocols implemented by the service provider are approved and accepted by JAB. Guidance: Exceptions to restricted networking protocols are granted for explicitly identified information system components in support of specific operational requirements.
AC-17 (8) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 83
13.1.14.
The organization:
Wireless Access Restrictions (AC-18)
(a) Establishes usage restrictions and implementation guidance for wireless access; (b) Monitors for unauthorized wireless access to the information system; (c) Authorizes wireless access to the information system prior to connection; and (d) Enforces requirements for wireless connections to the information system.
AC-18 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-18 What is the solution and how is it implemented? Control Summary Information
Page 84
Part b
Part c
Part d
13.1.14.1.
Wireless Access Restrictions Control Enhancements
13.1.14.1.1. Control Enhancement AC-18 (1) AC-18 (1) The information system protects wireless access to the system using authentication and encryption.
AC-18 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 85
13.1.14.1.2. Control Enhancement AC-18 (2) AC-18 (2) The organization monitors for unauthorized wireless connections to the information system, including scanning for unauthorized wireless access points [Assignment: organizationdefined frequency], and takes appropriate action if an unauthorized connection is discovered. AC-18 (2) Parameter Requirement: [at least quarterly]
13.1.15.
Access Control for Portable and Mobile Systems (AC-19)
Page 86
The organization: (a) Establishes usage restrictions and implementation guidance for organization-controlled mobile devices; (b) Authorizes connection of mobile devices meeting organizational usage restrictions and implementation guidance to organizational information systems; (c) Monitors for unauthorized connections of mobile devices to organizational information systems; (d) Enforces requirements for the connection of mobile devices to organizational information systems; (e) Disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction; (f) Issues specially configured mobile devices to individuals traveling to locations that the organization deems to be of significant risk in accordance with organizational policies and procedures; and (g) Applies [Assignment: organization-defined inspection and preventative measures] to mobile devices returning from locations that the organization deems to be of significant risk in accordance with organizational policies and procedures. AC-19g Parameter Requirement: See additional requirements and guidance. AC-19g Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines inspection and preventative measures. The measures are approved and accepted by JAB.
AC-19 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Control Summary Information
Page 87
Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-19 What is the solution and how is it implemented? Part a
Part b
Part c
Part d
Part e
Part f
Part g
Page 88
13.1.15.1.
Access Control for Portable and Mobile Systems Control Enhancements
13.1.15.1.1. Control Enhancement AC-19 (1) AC-19 (1) The organization restricts the use of writable, removable media in organizational information systems.
AC-19 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific (Corporate and System Specific) Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-19 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.1.15.1.2. Control Enhancement AC-19 (2) AC-19 (2) The organization prohibits the use of personally owned removable media in organizational information systems.
AC-19 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Control Enhancement Summary Information
Page 89
Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-19 (2) What is the solution and how is it implemented?
13.1.15.1.3. Control Enhancement AC-19 (3) AC-19 (3) The organization prohibits the use of removable media in organizational information systems when the media has no identifiable owner.
AC-19 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 90
13.1.16.
Use of External Information Systems (AC-20)
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: (a) Access the information system from the external information systems; and (b) Process, store, and/or transmit organization-controlled information using the external information systems.
AC-20 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-20 What is the solution and how is it implemented? Part a Control Summary Information
Page 91
<Information System Name> System Security Plan Version <0.00> / <Date> AC-20 What is the solution and how is it implemented? Part b
13.1.16.1.
Use of External Information Systems Control Enhancements
13.1.16.1.1. Control Enhancement AC-20 (1) AC-20 (1) The organization permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when the organization: (a) Can verify the implementation of required security controls on the external system as specified in the organizations information security policy and security plan; or (b) Has approved information system connection or processing agreements with the organizational entity hosting the external information system.
AC-20 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-20 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 92
<Information System Name> System Security Plan Version <0.00> / <Date> AC-20 (1) What is the solution and how is it implemented? Part a
Part b
13.1.16.1.2. Control Enhancement AC-20 (2) AC-20 (2) The organization limits the use of organization-controlled portable storage media by authorized individuals on external information systems.
AC-20 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-20 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
13.1.17.
The organization:
Publicly Accessible Content (AC-22)
Page 93
(a) Designates individuals authorized to post information onto an organizational information system that is publicly accessible; (b) Trains authorized individuals to ensure that publicly accessible information does not contain non-public information; (c) Reviews the proposed content of publicly accessible information for nonpublic information prior to posting onto the organizational information system; (d) Reviews the content on the publicly accessible organizational information system for non-public information [Assignment: organization-defined frequency] ; and AC-22d Parameter Requirements: [at least quarterly] (e) Removes nonpublic information from the publicly accessible organizational information system, if discovered.
AC-22 Responsible Role: AC-22d Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AC-22 What is the solution and how is it implemented? Control Summary Information
Page 94
Part b
Part c
Part d
Part e
13.2. AWARENESS AND TRAINING (AT) 13.2.1. Security Awareness and Training Policy and Procedures (AT-1)
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls. AT-1 Parameter Requirement: [at least annually]
AT-1 Responsible Role: Control Summary Information
Page 95
<Information System Name> System Security Plan Version <0.00> / <Date> AT-1 Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) AC-22 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.2.2.
Security Awareness (AT-2)
The organization provides basic security awareness training to all information system users (including managers, senior executives, and contractors) as part of initial training for new users, when required by system changes, and [Assignment: organization-defined frequency] thereafter. AT-2 Parameter Requirement: [at least annually]
AT-2 Responsible Role: Parameter Implementation Status (check all that apply): Implemented Partially implemented Control Summary Information
Page 96
<Information System Name> System Security Plan Version <0.00> / <Date> AT-2 Control Summary Information
Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AT-2 What is the solution and how is it implemented?
13.2.3.
Security Training (AT-3)
The organization provides role-based security-related training: (a) Before authorizing access to the system or performing assigned duties; (b) When required by system changes; and [Assignment: organization-defined frequency] thereafter. AT-3 Parameter Requirement: [at least every three years]
AT-3 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Summary Information
Page 97
<Information System Name> System Security Plan Version <0.00> / <Date> AT-3 Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AT-3 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.2.4.
The organization:
Security Training Records (AT-4)
(a) Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and (b) Retains individual training records for [Assignment: organization-defined frequency] AT-4b Parameter Requirement: [At least three years]
AT-4 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Control Summary Information
Page 98
<Information System Name> System Security Plan Version <0.00> / <Date> AT-4 Control Summary Information
Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AT-4 What is the solution and how is it implemented? Part a
Part b
13.3. AUDIT AND ACCOUNTABILITY (AU) 13.3.1. Audit and Accountability Policy and Procedures (AU-1)
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. AU-1 Parameter Requirement: [at least annually]
AU-1 Control Summary Information
Page 99
<Information System Name> System Security Plan Version <0.00> / <Date> AU-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) AU-1 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.3.2.
The organization:
Auditable Events (AU-2)
(a) Determines, based on a risk assessment and mission/business needs, that the information system must be capable of auditing the following events [Assignment: organizationdefined list of auditable events]; AU-2a Parameter Requirement: [Successful and unsuccessful account logon events, account management events, object access, policy change, privilege functions, process tracking, and system events. For Web applications: all administrator activity, authentication checks, authorization checks, data deletions, data access, data changes, and permission changes]
Page 100
(b) Coordinates the security audit function with other organizational entities requiring audit related information to enhance mutual support and to help guide the selection of auditable events; (c) Provides a rationale for why the list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and (d) Determines, based on current threat information and ongoing assessment of risk, that the following events are to be audited [Assignment: organization-defined subset of the auditable events defined in AU-2 a. to be audited] within the information system [Assignment: organization-defined frequency of (or situation requiring) auditing for each identified event]. AU-2d Parameter Requirement: [continually] AU-2d Additional FedRAMP Parameter Requirement: Requirement: The service provider defines the subset of auditable events from AU-2a to be audited. The events to be audited are approved and accepted by JAB.
AU-2 Responsible Role: AU-2a Parameter: AU-2d Parameter: AU-2d Additional FedRAMP Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-2 What is the solution and how is it implemented? Control Summary Information
Page 101
<Information System Name> System Security Plan Version <0.00> / <Date> AU-2 What is the solution and how is it implemented? Part a
Part b
Part c
Part d
13.3.2.1.
Control Enhancements for Auditable Events
13.3.2.1.1. Control Enhancement AU-2 (3) AU-2 (3) The organization reviews and updates the list of auditable events [Assignment: organization-defined frequency] AU-2 (3) Parameter Requirement: [annually or whenever there is a change in the threat environment] AU-2 (3) Additional FedRAMP Requirements and Guidance: Guidance: Annually or whenever changes in the threat environment are communicated to the service provider by the JAB.
AU-2 (3) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Enhancement Summary Information
Page 102
<Information System Name> System Security Plan Version <0.00> / <Date> AU-2 (3) Control Enhancement Summary Information
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-2 (3) What is the solution and how is it implemented?
13.3.2.1.2. Control Enhancement AU-2 (4) AU-2 (4) The organization includes execution of privileged functions in the list of events to be audited by the information system.
AU-2 (4) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-2 (4) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 103
<Information System Name> System Security Plan Version <0.00> / <Date> AU-2 (4) What is the solution and how is it implemented?
AU-2(4) Additional FedRAMP Requirements and Guidance: Requirement: The service provider configures the auditing features of operating systems, databases, and applications to record security-related events, to include logon/logoff and all failed access attempts
AU-2(4) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-2(4) What is the solution and how is it implemented? Additional FedRAMP Control Summary Information
13.3.3.
Content of Audit Records (AU-3)
The information system produces audit records that contain sufficient information to, at a minimum, establish what type of event occurred, when (date and time) the event occurred, where the event occurred, the source of the event, the outcome (success or failure) of the event, and the identity of any user/subject associated with the event.
Page 104
<Information System Name> System Security Plan Version <0.00> / <Date> AU-3 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-3 What is the solution and how is it implemented? Control Summary Information
13.3.3.1.
Control Enhancement for Content of Audit Records
13.3.3.1.1. Control Enhancement AU-3 (1) AU-3 (1) The information system includes [Assignment: organization-defined additional, more detailed information] in the audit records for audit events identified by type, location, or subject. AU-3 (1) Parameter Requirements: [session, connection, transaction, or activity duration; for client-server transactions, the number of bytes received and bytes sent; additional informational messages to diagnose or identify the event; characteristics that describe or identify the object or resource being acted upon] AU-3 (1) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines audit record types. The audit record types are approved and accepted by the JAB. Guidance: For client-server transactions, the number of bytes sent and received gives bidirectional transfer information that can be helpful during an investigation or inquiry.
AU-3 (1) Control Enhancement Summary Information
Page 105
<Information System Name> System Security Plan Version <0.00> / <Date> AU-3 (1) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-3 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.3.4.
Audit Storage Capacity (AU-4)
The organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.
AU-4 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Control Summary Information
Page 106
<Information System Name> System Security Plan Version <0.00> / <Date> AU-4 Control Summary Information
Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-4 What is the solution and how is it implemented?
13.3.5.
Response to Audit Processing Failures (AU-5)
The information system: (a) Alerts designated organizational officials in the event of an audit processing failure; and (b) Takes the following additional actions: [Assignment: organization-defined actions to be taken] AU-5b Parameter Requirement: [low-impact: overwrite oldest audit records; moderate-impact: shut down]
AU-5 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Page 107 Control Summary Information
Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-5 What is the solution and how is it implemented? Part a
Part b
13.3.6.
The organization:
Audit Review, Analysis, and Reporting (AU-6)
(a) Reviews and analyzes information system audit records [Assignment: organizationdefined frequency] for indications of inappropriate or unusual activity, and reports findings to designated organizational officials; and AU-6a Parameter Requirement: [at least weekly] (b) Adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk to organizational operations, organizational assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information.
AU-6 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Summary Information
Page 108
<Information System Name> System Security Plan Version <0.00> / <Date> AU-6 Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-6 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.3.6.1.
Control Enhancements for Audit Review, Analysis, and Reporting
13.3.6.1.1. Control Enhancement AU-6 (1) AU-6 (1) The information system integrates audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.
AU-6 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Control Enhancement Summary Information
Page 109
Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-6 (1) What is the solution and how is it implemented?
13.3.6.1.2. Control Enhancement AU-6 (3) AU-6 (3) The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.
AU-6 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-6 (3) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 110
<Information System Name> System Security Plan Version <0.00> / <Date> AU-6 (3) What is the solution and how is it implemented?
13.3.7.
Audit Reduction and Report Generation (AU-7)
The information system provides an audit reduction and report generation capability.
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Corporate (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-7 What is the solution and how is it implemented?
13.3.7.1.
Control Enhancement for Audit Reduction and Report Generation
13.3.7.1.1. Control Enhancement AU-7 (1) AU-7 (1) The information system provides the capability to automatically process audit records for events of interest based on selectable event criteria.
AU-7 (1) Responsible Role: Control Enhancement Summary Information
Page 111
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-7 (1) What is the solution and how is it implemented?
13.3.8.
Time Stamps (AU-8)
The information system uses internal system clocks to generate time stamps for audit records.
AU-8 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Control Summary Information
Page 112
Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-8 What is the solution and how is it implemented?
13.3.8.1.
Control Enhancement for Time Stamps
13.3.8.1.1. Control Enhancement AU-8 (1) AU-8 (1) The information system synchronizes internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]. AU-8 (1) Parameter Requirements: Parameter 1: [at least hourly] Parameter 2: [http://tf.nist.gov/tf-cgi/servers.cgi]
AU-8 (1) Responsible Role: Parameter 1: Parameter 2: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 113
AU-8 (1) What is the solution and how is it implemented?
AU-8 (1) Additional FedRAMP Requirements and Guidance: Requirement 1: The service provider selects primary and secondary time servers used by the NIST Internet time service. The secondary server is selected from a different geographic region than the primary server. Requirement 2: The service provider synchronizes the system clocks of network computers that run operating systems other than Windows with the Windows Server Domain Controller emulator. If there is no Windows Server Domain Controller, servers should synchronize all to the same time source. Guidance: Synchronization of system clocks improves the accuracy of log analysis.
AU-8 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-8 (1) What is the solution and how is it implemented? Additional Control Enhancement Summary Information
Page 114
<Information System Name> System Security Plan Version <0.00> / <Date> AU-8 (1) What is the solution and how is it implemented? Req. 1
Req. 2
13.3.9.
Protection of Audit Information (AU-9)
The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-9 What is the solution and how is it implemented?
13.3.9.1.
Control Enhancement for Protection of Audit Information
Page 115
13.3.9.1.1. Control Enhancement AU-9 (2) AU-9 (2) The information system backs up audit records at [Assignment: organization-defined frequency] onto a different system or media than the system being audited. AU-9 (2) Parameter Requirement: [at least weekly]
AU-9 (2) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-9 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
13.3.10.
Non-Repudiation (AU-10)
The information system protects against an individual falsely denying having performed a particular action.
AU-10 Responsible Role: Implementation Status (check all that apply): Implemented Control Summary Information
Page 116
Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-10 What is the solution and how is it implemented?
13.3.10.1.
Control Enhancement for Non-Repudiation
13.3.10.1.1. Control Enhancement AU-10 (5) AU-10 (5) The organization employs [Selection: FIPS-validated; NSA-approved] cryptography (e.g., DoD PKI class 3 or 4 token) to implement digital signatures. AU-10 (5) Parameter Requirement: See additional requirements and guidance. AU-10 (5) Additional FedRAMP Requirements and Guidance: Requirement: The service provider implements FIPS 140-2 validated cryptography (e.g., DOD PKI Class 3 or 4 tokens) for service offerings that include Software-as-a-Service (SaaS) with email.
AU-10 (5) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Enhancement Summary Information
Page 117
<Information System Name> System Security Plan Version <0.00> / <Date> AU-10 (5) Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-10 (5) What is the solution and how is it implemented? Control Enhancement Summary Information
13.3.11.
Audit Record Retention (AU-11)
The organization retains audit records online for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements. AU-11 Parameter Requirements: [at least ninety days] AU-11 Additional FedRAMP Requirements and Guidance: Requirement: The service provider retains audit records on-line for at least ninety days and further preserves audit records offline for a period that is in accordance with NARA.
AU-11 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Control Summary Information
Page 118
Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-11 What is the solution and how is it implemented?
13.3.12.
Audit Generation (AU-12)
The information system: (a) Provides audit record generation capability for the list of auditable events defined in AU2 at [Assignment: organization-defined information system components]; AU-12a Parameter Requirements: [all information system components where audit capability is deployed] (b) Allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and (c) Generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3.
AU-12 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Summary Information
Page 119
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> AU-12 What is the solution and how is it implemented? Part a
Part b
Part c
Part d
13.4. SECURITY ASSESSMENT AND AUTHORIZATION (CA) 13.4.1. Certification, Authorization, Security Assessment Policies and Procedures (CA-1)
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) Formal, documented security assessment and authorization policies that address purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Page 120
(b) Formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls. CA-1 Parameter Requirement: [at least annually]
CA-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) CA-1 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.4.2.
The organization:
Security Assessments (CA-2)
(a) Develops a security assessment plan that describes the scope of the assessment including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities;
Page 121
(b) Assesses the security controls in the information system [Assignment: organizationdefined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system; CA-2b Parameter Requirement: [at least annually] (c) Produces a security assessment report that documents the results of the assessment; and (d) Provides the results of the security control assessment, in writing, to the authorizing official or authorizing official designated representative.
CA-2 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CA-2 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Page 122
<Information System Name> System Security Plan Version <0.00> / <Date> CA-2 What is the solution and how is it implemented? Part c
Part d
13.4.2.1.
Control Enhancement for Security Assessments
13.4.2.1.1. Control Enhancement CA-2 (1) CA-2 (1) The organization employs an independent assessor or assessment team to conduct an assessment of the security controls in the information system.
CA-2 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CA-2 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 123
13.4.3.
The organization:
Information System Connections (CA-3)
(a) Authorizes connections from the information system to other information systems outside of the authorization boundary through the use of Interconnection Security Agreements; (b) Documents, for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and (c) Monitors the information system connections on an ongoing basis verifying enforcement of security requirements. Instruction: Items (a) should be documented in the table below. Item (b) should be documented in 11. It is not necessary to re-document item (b) here. Add additional rows as needed. The below table, and the table in 11 should be consistent with each other.
Table 13-2. Authorized Connections
System Name
Name of Organization CSP System Connects To
Role and Name of Person Who Signed Connection Agreement
Name and Date of Interconnection Agreement
CA-3 Responsible Role:
Control Summary Information
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate
Page 124
<Information System Name> System Security Plan Version <0.00> / <Date> CA-3 Control Summary Information
Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CA-3 What is the solution and how is it implemented? Part a Please see 11 for information about the implementation.
Part b
Please see Table 13-2 and Table 11-1 in 11 for information about the implementation.
Part c
13.4.4.
The organization:
Plan of Action and Milestones (CA-5)
(a) Develops a plan of action and milestones for the information system to document the organizations planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and (b) Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. CA-5b Parameter Requirement: [at least quarterly]
CA-5 Responsible Role: Control Summary Information
Page 125
<Information System Name> System Security Plan Version <0.00> / <Date> CA-5 Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CA-5 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.4.5.
The organization:
Security Authorization (CA-6)
(a) Assigns a senior-level executive or manager to the role of authorizing official for the information system; (b) Ensures that the authorizing official authorizes the information system for processing before commencing operations; and (c) Updates the security authorization [Assignment: organization-defined frequency]. CA-6c Parameter Requirement: [at least every three years or when a significant change occurs]
Page 126
CA-6c Additional FedRAMP Requirements and Guidance: Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would require a reauthorization of the information system. The types of changes are approved and accepted by the JAB.
CA-6 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CA-6 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Page 127
13.4.6.
Continuous Monitoring (CA-7)
The organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes: (a) A configuration management process for the information system and its constituent components; (b) A determination of the security impact of changes to the information system and environment of operation; (c) Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; and (d) Reporting the security state of the information system to appropriate organizational officials [Assignment: organization-defined frequency]. CA-7d Parameter Requirement: [monthly]
CA-7 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CA-7 What is the solution and how is it implemented? Control Summary Information
Page 128
<Information System Name> System Security Plan Version <0.00> / <Date> CA-7 What is the solution and how is it implemented? Part a
Part b
Part c
Part d
13.4.6.1.
Control Enhancement for Continuous Monitoring
13.4.6.1.1. Control Enhancement CA-7 (2) CA-7 (2) The organization plans, schedules, and conducts assessments [Assignment: organization-defined frequency] [Selection: announced; unannounced], [Selection: in-depth monitoring; malicious user testing; penetration testing; red team exercises], [Assignment: organization-defined other forms of security assessment] to ensure compliance with all vulnerability mitigation procedures. CA-7 (2) Parameter Requirements: Parameter 1: [annually] Parameter 2: [unannounced] Parameter 3: [penetration testing] Parameter 4: [in-depth monitoring]
CA-7 (2) Responsible Role: Parameter 1: Parameter 2: Parameter 3: Control Enhancement Summary Information
Page 129
<Information System Name> System Security Plan Version <0.00> / <Date> CA-7 (2) Parameter 4: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CA-7 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
13.5. CONFIGURATION MANAGEMENT (CM) 13.5.1. Configuration Management Policy and Procedures (CM-1)
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. CM-1 Parameter Requirement: [at least annually]
CM-1 Control Enhancement Summary Information
Page 130
<Information System Name> System Security Plan Version <0.00> / <Date> CM-1 Responsible Role: Parameter : Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) CM-1 What is the solution and how is it implemented? Part a Control Enhancement Summary Information
Part b
13.5.2. Baseline Configuration and System Component Inventory (CM-2)

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
CM-2 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Enhancement Summary Information
Page 131
<Information System Name> System Security Plan Version <0.00> / <Date> CM-2 Control Enhancement Summary Information
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-2 What is the solution and how is it implemented?
13.5.2.1. Control Enhancements for Baseline Configuration and System Component Inventory 13.5.2.1.1. Control Enhancement CM-2 (1) CM-2 (1) The organization reviews and updates the baseline configuration of the information system: (a) [Assignment: organization-defined frequency]; CM-2 (1) (a) Parameter Requirement: [annually] (b) When required due to [Assignment: organization-defined circumstances]; and CM-2 (1) (b) Parameter Requirement: [a significant change] CM-2 (1) (b) Additional FedRAMP Requirement and Guidance: Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F. The service provider describes the types of changes to the information system or the environment of operations that would require a review and update of the baseline configuration. The types of changes are approved and accepted by the JAB. (c) As an integral part of information system component installations and upgrades.
CM-2 (1) Control Enhancement Summary Information
Page 132
<Information System Name> System Security Plan Version <0.00> / <Date> CM-2 (1) Responsible Role: Parameter 1a: Parameter 1b: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-2 (1) What is the solution and how is it implemented? Part a Control Enhancement Summary Information
Part b
Part c
13.5.2.1.2. Control Enhancement CM-2 (3) CM-2 (3) The organization retains older versions of baseline configurations as deemed necessary to support rollback.
Page 133
<Information System Name> System Security Plan Version <0.00> / <Date> CM-2 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-2 (3) What is the solution and how is it implemented? Control Enhancement Summary Information
13.5.2.1.3. Control Enhancement CM-2 (5) CM-2 (5) The organization: (a) Develops and maintains [Assignment: organization-defined list of software programs authorized to execute on the information system]; and CM-2 (5) (a) Parameter Requirement: See additional requirements and guidance. CM-2 (5) (a) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines and maintains a list of software programs authorized to execute on the information system. The list of authorized programs is approved and accepted by the JAB. (b) Employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.
CM-2 (5) Control Enhancement Summary Information
Page 134
<Information System Name> System Security Plan Version <0.00> / <Date> CM-2 (5) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-2 (5) What is the solution and how is it implemented? Part a Control Enhancement Summary Information
Part b
13.5.3.
The organization:
Configuration Change Control (CM-3)
(a) Determines the types of changes to the information system that are configuration controlled; (b) Approves configuration-controlled changes to the system with explicit consideration for security impact analyses; (c) Documents approved configuration-controlled changes to the system;
Page 135
(d) Retains and reviews records of configuration-controlled changes to the system; (e) Audits activities associated with configuration-controlled changes to the system; and (f) Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection: (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]]. CM-3f Parameter Requirement: See additional requirements and guidance. CM-3f Additional FedRAMP Requirements and Guidance: Requirement 1: The service provider defines the configuration change control element and the frequency or conditions under which it is convened. The change control element and frequency/conditions of use are approved and accepted by the JAB. Requirement 2: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB.
CM-3 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-3 What is the solution and how is it implemented? Control Summary Information
Page 136
<Information System Name> System Security Plan Version <0.00> / <Date> CM-3 What is the solution and how is it implemented? Part a
Part b
Part c
Part d
Part e
Part f
13.5.3.1.
Control Enhancement for Configuration Change Control
13.5.3.1.1. Control Enhancement CM-3 (2) CM-3 (2) The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
CM-3 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Enhancement Summary Information
Page 137
<Information System Name> System Security Plan Version <0.00> / <Date> CM-3 (2) Control Enhancement Summary Information
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-3 (2) What is the solution and how is it implemented?
13.5.4.
Monitoring Configuration Changes (CM-4)
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
CM-4 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-4 What is the solution and how is it implemented? Control Summary Information
Page 138
<Information System Name> System Security Plan Version <0.00> / <Date> CM-4 What is the solution and how is it implemented?
13.5.5.
Access Restrictions for Change (CM-5)
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.
CM-5 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-5 What is the solution and how is it implemented? Control Summary Information
13.5.5.1.
Control Enhancements for Access Restrictions for Change
13.5.5.1.1. Control Enhancement CM-5 (1) CM-5 (1) The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.
Page 139
CM-5 (1) Responsible Role:
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-5 (1) What is the solution and how is it implemented?
CM-5 (5) The organization: (a) Limits information system developer/integrator privileges to change hardware, software, and firmware components and system information directly within a production environment; and (b) Reviews and reevaluates information system developer/integrator privileges [Assignment: organization-defined frequency] CM-5 (5) (b) Parameter Requirement: [at least quarterly]
CM-5 (5) Responsible Role: Parameter: Control Enhancement Summary Information
Page 140
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-5 (5) What is the solution and how is it implemented? Part a
Part b
13.5.6.
The organization:
Configuration Settings (CM-6)
(a) Establishes and documents mandatory configuration settings for information technology products employed within the information system [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with the sensitivity level; CM-6a Additional FedRAMP Requirements and Guidance: Requirement: Use USGCB configuration checklists if available. If not available, the service provider uses configuration settings based on industry best practices such as Center for Internet Security guidelines. Otherwise, the service provider establishes their own configuration settings. Indicate if checklists from outside organizations are used. Indicate if checklists for configuration settings are Security Content Automation
Page 141
Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). Configuration settings are approved and accepted by the JAB. (b) Implements the configuration settings; (c) Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and (d) Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. Note: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc\ Information on SCAP can be found at: http://scap.nist.gov/
CM-6 Responsible Role:
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA>
CM-6 What is the solution and how is it implemented?
Page 142
<Information System Name> System Security Plan Version <0.00> / <Date> CM-6 What is the solution and how is it implemented? Part a
Part b
Part c
Part d
13.5.6.1.
Control Enhancements for Configuration Settings
13.5.6.1.1. Control Enhancement CM-6 (1) CM-6 (1) The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings.
CM-6 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 143
CM-6 (1) What is the solution and how is it implemented?
13.5.6.1.2. Control Enhancement CM-6 (3) CM-6 (3) The organization incorporates detection of unauthorized, security-relevant configuration changes into the organizations incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes.
CM-6 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-6 (3) What is the solution and how is it implemented? Control Enhancement Summary Information
13.5.7.
Least Functionality (CM-7)
The organization configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of the following functions, ports, protocols, and/or services [Assignment: organization-defined list of prohibited or restricted functions, ports, protocols, and/or services]
Page 144
CM-7 Parameter Requirement: See additional requirements and guidance. CM-7 Additional FedRAMP Requirements and Guidance: Requirement: The service provider uses the Center for Internet Security guidelines (Level 1) to establish a list of prohibited or restricted functions, ports, protocols, and/or services or establishes its own list of prohibited or restricted functions, ports, protocols, and/or services if USGCB is not available. The list of prohibited or restricted functions, ports, protocols, and/or services is approved and accepted by the JAB. Guidance: Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc.
CM-7 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-7 What is the solution and how is it implemented? Control Summary Information
13.5.7.1.
Control Enhancements for Least Functionality
13.5.7.1.1. Control Enhancement CM-7 (1) CM-7 (1) The organization reviews the information system [Assignment: organization-defined frequency] to identify and eliminate unnecessary functions, ports, protocols, and/or services.
Page 145
CM-7 (1) Parameter Requirement: [at least quarterly]

CM-7 (1) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-7 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.5.8.
Information System Component Inventory (CM-8)
The organization develops, documents, and maintains an inventory of information system components that: (a) Accurately reflects the current information system; (b) Is consistent with the authorization boundary of the information system; (c) Is at the level of granularity deemed necessary for tracking and reporting; (d) Includes [Assignment: organization-defined information deemed necessary to achieve effective property accountability]; and
Page 146
CM-8d Parameter Requirement: See additional requirements and guidance. CM-8d Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines information deemed necessary to achieve effective property accountability. Property accountability information is approved and accepted by the JAB. Guidance: Information deemed necessary to achieve effective property accountability may include hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, and for a networked component/device, the machine name and network address. (e) Is available for review and audit by designated organizational officials.
CM-8 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Instruction: A description of the inventory information is documented in Section 3.4. It is not necessary to re-document it here. 13.5.8.1. Control Enhancements for Information System Component Inventory
13.5.8.1.1. Control Enhancement CM-8 (1) CM-8 (1) The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.
Page 147
CM-8 (1) Responsible Role:
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-8 (1) What is the solution and how is it implemented?
13.5.8.1.2. Control Enhancement CM-8 (3) CM-8 (3) The organization: (a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the addition of unauthorized components/devices into the information system; and CM-8 (3) (a) Parameter Requirements: [continuously, using automated mechanisms with a maximum five-minute delay in detection] (b) Disables network access by such components/devices or notifies designated organizational officials.
CM-8 (3) Responsible Role: Parameter: Control Enhancement Summary Information
Page 148
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-8 (3) What is the solution and how is it implemented? Part a
Part b
13.5.8.1.3. Control Enhancement CM-8 (5) CM-8 (5) The organization verifies that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system.
CM-8 (5) Responsible Role: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Enhancement Summary Information
Page 149
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Share (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-8 (5) What is the solution and how is it implemented?
13.5.9.
Configuration Management Plan (CM-9)
The organization develops, documents, and implements a configuration management plan for the information system that: (a) Addresses roles, responsibilities, and configuration management processes and procedures; (b) Defines the configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and (c) Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.
CM-9 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Summary Information
Page 150
<Information System Name> System Security Plan Version <0.00> / <Date> CM-9 Control Summary Information
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CM-9 What is the solution and how is it implemented? Part a
Part b
13.6. CONTINGENCY PLANNING (CP) 13.6.1. Contingency Planning Policy and Procedures (CP-1)
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls. CP-1 Parameter Requirement: [at least annually]
CP-1 Responsible Role: Parameter: Control Summary Information
Page 151
<Information System Name> System Security Plan Version <0.00> / <Date> CP-1 Control Summary Information
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) CP-1 What is the solution and how is it implemented? Part a
Part b
13.6.2.
The organization:
Contingency Plan (CP-2)
(a) Develops a contingency plan for the information system that:

Identifies essential missions and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full information system restoration without deterioration of the security measures originally planned and implemented; and Is reviewed and approved by designated officials within the organization;
(b) Distributes copies of the contingency plan to [Assignment: organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements];
Page 152
CP-2b Parameter Requirement: See additional requirements and guidance. CP-2b Additional FedRAMP Parameter Requirement: The service provider defines a list of key contingency personnel (identified by name and/or by role) and organizational elements. The contingency list includes designated FedRAMP personnel. (c) Coordinates contingency planning activities with incident handling activities; (d) Reviews the contingency plan for the information system [Assignment: organizationdefined frequency]; CP-2d Parameter Requirement: [at least annually] (e) Revises the contingency plan to address changes to the organization, information system, or environment of operation and problems encountered during contingency plan implementation, execution, or testing; and (f) Communicates contingency plan changes to [Assignment: organization-defined list of key contingency personnel (identified by name and/or by role) and organizational elements] CP-2f Parameter Requirement: See additional requirements and guidance. CP-2f Additional FedRAMP Parameter Requirement: The service provider defines a list of key contingency personnel (identified by name and/or by role) and organizational elements. The contingency list includes designated FedRAMP personnel.
CP-2 Responsible Role: Parameter 2b: Parameter 2d: Parameter 2f: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Summary Information
Page 153
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-2 What is the solution and how is it implemented? Part a
Part b
Part c
Part d
Part e
Part f
13.6.2.1.
Control Enhancements for Contingency Plan
13.6.2.1.1. Control Enhancement CP-2 (1) CP-2 (1) The organization coordinates contingency plan development with organizational elements responsible for related plans.
Page 154
CP-2 (1) Responsible Role:
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-2 (1) What is the solution and how is it implemented?
13.6.2.1.2. Control Enhancement CP-2 (2) CP-2 (2) The organization conducts capacity planning so that necessary capacity for information processing, telecommunications, and environmental support exists during contingency operations.
CP-2 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Control Enhancement Summary Information
Page 155
<Information System Name> System Security Plan Version <0.00> / <Date> CP-2 (2) Control Enhancement Summary Information
Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-2 (2) What is the solution and how is it implemented?
13.6.3.
Contingency Training (CP-3)
The organization trains personnel in their contingency roles and responsibilities with respect to the information system and provides refresher training [Assignment: organization-defined frequency] CP-3 Parameter Requirement: Parameter: [at least annually]
CP-3 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 156
CP-3 What is the solution and how is it implemented?
13.6.4.
The organization:
Contingency Plan Testing and Exercises (CP-4)
(a) Tests and/or exercises the contingency plan for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests and/or exercises] to determine the plans effectiveness and the organizations readiness to execute the plan; and CP-4a Parameter Requirements: Parameter 1: [at least annually for moderate impact systems; at least every three years for low impact systems] Parameter 2: [functional exercises for moderate impact systems; classroom exercises/table top written tests for low impact systems] CP-4a Additional FedRAMP Requirements and Guidance: Requirement: The service provider develops test plans in accordance with NIST Special Publication 800-34 (as amended) and provides plans to FedRAMP prior to initiating testing. Test plans are approved and accepted by the JAB. (b) Reviews the contingency plan test/exercise results and initiates corrective actions.
CP-4 Responsible Role: 4a Parameter 1: 4a Parameter 2: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Control Summary Information
Page 157
Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-4 What is the solution and how is it implemented? Part a
Part b
13.6.4.1.
Control Enhancements for Contingency Plan Testing and Exercises
13.6.4.1.1. Control Enhancement CP-4 (1) CP-4 (1) The organization coordinates contingency plan testing and/or exercises with organizational elements responsible for related plans.
CP-4 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Control Enhancement Summary Information
Page 158
CP-4 (1) What is the solution and how is it implemented?
13.6.5.
Alternate Storage Site (CP-6)
The organization establishes an alternate storage site including necessary agreements to permit the storage and recovery of information system backup information.
CP-6 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-6 What is the solution and how is it implemented? Control Summary Information
Page 159
13.6.5.1.
Control Enhancements for Alternate Storage Site
13.6.5.1.1. Control Enhancement CP-6 (1) CP-6 (1) The organization identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same hazards.
CP-6 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-6 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.6.5.1.2. Control Enhancement CP-6 (3) CP-6 (3) The organization identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption, or disaster and outlines explicit mitigation actions.
CP-6 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Enhancement Summary Information
Page 160
<Information System Name> System Security Plan Version <0.00> / <Date> CP-6 (3) Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-6 (3) What is the solution and how is it implemented? Control Enhancement Summary Information
13.6.6.
The organization:
Alternate Processing Site (CP-7)
(a) Establishes an alternate processing site including necessary agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: organization-defined time period consistent with recovery time objectives] when the primary processing capabilities are unavailable; and CP-7a Parameter Requirement: See additional requirements and guidance. CP-7a Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a time period consistent with the recovery time objectives and business impact analysis. The time period is approved and accepted by the JAB. (b) Ensures that equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the organization-defined time period for resumption.
Page 161
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-7 What is the solution and how is it implemented? Part a
Part b
13.6.6.1.
Control Enhancements for Alternate Processing Site
13.6.6.1.1. Control Enhancement CP-7 (1) CP-7 (1) The organization identifies an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same hazards.
CP-7 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Enhancement Summary Information
Page 162
<Information System Name> System Security Plan Version <0.00> / <Date> CP-7 (1) Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-7 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.6.6.1.2. Control Enhancement CP-7 (2) CP-7 (2) The organization identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
CP-7 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 163
<Information System Name> System Security Plan Version <0.00> / <Date> CP-7 (2) What is the solution and how is it implemented?
13.6.6.1.3. Control Enhancement CP-7 (3) CP-7 (3) The organization develops alternate processing site agreements that contain priority-ofservice provisions in accordance with the organizations availability requirements.
CP-7 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-7 (3) What is the solution and how is it implemented? Control Enhancement Summary Information
13.6.6.1.4. Control Enhancement CP-7 (5) CP-7 (5) The organization ensures that the alternate processing site provides information security measures equivalent to that of the primary site.
CP-7 (5) Control Enhancement Summary Information
Page 164
<Information System Name> System Security Plan Version <0.00> / <Date> CP-7 (5) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-7 (5) What is the solution and how is it implemented? Control Enhancement Summary Information
13.6.7.
Telecommunications Services (CP-8)
The organization establishes alternate telecommunications services including necessary agreements to permit the resumption of information system operations for essential missions and business functions within [Assignment: organization-defined time period] when the primary telecommunications capabilities are unavailable. CP-8 Parameter Requirement: See additional requirements and guidance. CP-8 Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a time period consistent with the business impact analysis. The time period is approved and accepted by the JAB.
Page 165
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-8 What is the solution and how is it implemented?
13.6.7.1.
Control Enhancements for Telecommunications Services
13.6.7.1.1. Control Enhancement CP-8 (1) CP-8 (1) The organization: (a) Develops primary and alternate telecommunications service agreements that contain priority of service provisions in accordance with the organizations availability requirements; and (b) Requests Telecommunications Service Priority for all telecommunications services used for national security emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
CP-8 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Control Enhancement Summary Information
Page 166
Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-8 (1) What is the solution and how is it implemented? Part a
Part b
13.6.7.1.2. Control Enhancement CP-8 (2) CP-8 (2) The organization obtains alternate telecommunications services with consideration for reducing the likelihood of sharing a single point of failure with primary telecommunications services.
CP-8 (2) Responsible Role: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Control Enhancement Summary Information
Page 167
Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-8 (2) What is the solution and how is it implemented?
13.6.8.
The organization:
Information System Backup (CP-9)
(a) Conducts backups of user-level information contained in the information system at least [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives] CP-9a Parameter Requirement: [daily incremental; weekly full] CP-9a Additional FedRAMP Requirements and Guidance: Requirement: The service provider maintains at least three backup copies of user-level information (at least one of which is available online) or provides an equivalent alternative. The backup storage capability is approved and accepted by the JAB. (b) Conducts backups of system-level information contained in the information system at least [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives] CP-9b Parameter Requirement: [daily incremental; weekly full] CP-9b Additional FedRAMP Requirements and Guidance: Requirement: The service provider maintains at least three backup copies of system-level information (at least one of which is available online) or provides an equivalent alternative. The backup storage capability is approved and accepted by the JAB. (c) Conducts backups of information system documentation including security-related documentation at least [Assignment: organization-defined frequency consistent with recovery time and recovery point objectives]; and
Page 168
CP-9c Parameter Requirement: [daily incremental; weekly full] CP-9c Additional FedRAMP Requirements and Guidance: Requirement: The service provider maintains at least three backup copies of information system documentation including security information (at least one of which is available online) or provides an equivalent alternative. The backup storage capability is approved and accepted by the JAB
CP-9 Responsible Role: Parameter 9a: Parameter 9b: Parameter 9c: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-9 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Page 169
<Information System Name> System Security Plan Version <0.00> / <Date> CP-9 What is the solution and how is it implemented? Part c
13.6.8.1.
Control Enhancements for Information System Backup
13.6.8.1.1. Control Enhancement CP-9 (1) CP-9 (1) The organization tests backup information [Assignment: organization-defined frequency] to verify media reliability and information integrity. CP-9 (1) Parameter Requirement: [at least annually]
CP-9 (1) Responsible Role: Parameter: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-9 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 170
13.6.8.1.2. Control Enhancement CP-9 (3) CP-9 (3) The organization stores backup copies of the operating system and other critical information system software, as well as copies of the information system inventory (including hardware, software, and firmware components) in a separate facility or in a fire-rated container that is not collocated with the operational system.
CP-9 (3) Responsible Role: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-9 (3) What is the solution and how is it implemented? Control Enhancement Summary Information
13.6.9.
Information System Recovery and Reconstitution (CP-10)
The organization provides for the recovery and reconstitution of the information system to a known state after a disruption, compromise, or failure.
CP-10 Responsible Role: Implementation Type (check all that apply): Implemented Partially implemented Control Summary Information
Page 171
Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> CP-10 What is the solution and how is it implemented?
13.6.9.1.
Control Enhancements for System Recovery and Reconstitution
13.6.9.1.1. Control Enhancement CP-10 (2) CP-10 (2) The information system implements transaction recovery for systems that are transaction-based.
CP-10 (2) Responsible Role: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Control Enhancement Summary Information
Page 172
13.6.9.1.2. Control Enhancement CP-10 (3) CP-10 (3) The organization provides compensating security controls for [Assignment: organization-defined circumstances that can inhibit recovery and reconstitution to a known state] CP-10 (3) Parameter Requirement: See additional requirements and guidance. CP-10 (3) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines circumstances that can inhibit recovery and reconstitution to a known state in accordance with the contingency plan for the information system and business impact analysis.
CP-10 (3) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 173
13.7. IDENTIFICATION AND AUTHENTICATION (IA) 13.7.1. Identification and Authentication Policy and Procedures (IA-1)
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls. IA-1 Parameter Requirements: [at least annually]
IA-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) IA-1 What is the solution and how is it implemented? Control Summary Information
Page 174
<Information System Name> System Security Plan Version <0.00> / <Date> IA-1 What is the solution and how is it implemented? Part a
Part b
13.7.2.
User Identification and Authentication (IA-2)
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
IA-2 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-2 What is the solution and how is it implemented? Control Summary Information
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).
Page 175
13.7.2.1.
Control Enhancements for User Identification and Authentication
13.7.2.1.1. Control Enhancement IA-2 (1) IA-2 (1) The information system uses multifactor authentication for network access to privileged accounts.
IA-2 (1) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-2 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.7.2.1.2. Control Enhancement IA-2 (2) IA-2 (2) The information system uses multifactor authentication for network access to nonprivileged accounts.
IA-2 (2) Responsible Role: Implementation Type (check all that apply): Implemented Control Summary Information
Page 176
<Information System Name> System Security Plan Version <0.00> / <Date> IA-2 (2) Control Summary Information
Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-2 (2) What is the solution and how is it implemented?
13.7.2.1.3. Control Enhancement IA-2 (3) IA-2 (3) The information system uses multifactor authentication for local access to privileged accounts.
IA-2 (3) Responsible Role: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination: Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Hybrid (Service Provider and Customer) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 177
IA-2 (3) What is the solution and how is it implemented?
13.7.2.1.4. Control Enhancement IA-2 (8) IA-2 (8) The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for network access to privileged accounts. IA-2 (8) Parameter Requirements: See additional requirements and guidance. IA-2 (8) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines replay-resistant authentication mechanisms. The mechanisms are approved and accepted by the JAB.
IA-2 (8) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 178
<Information System Name> System Security Plan Version <0.00> / <Date> IA-2 (8) What is the solution and how is it implemented?
13.7.3.
Device Identification and Authentication (IA-3)
The information system uniquely identifies and authenticates before establishing a connection. [Assignment: organization-defined list of specific and/or types of devices] IA-3 Parameter Requirements: See additional requirements and guidance. IA-3 Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a list a specific devices and/or types of devices. The list of devices and/or device types is approved and accepted by the JAB.
IA-3 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 179
<Information System Name> System Security Plan Version <0.00> / <Date> IA-3 What is the solution and how is it implemented?
13.7.4.
Identifier Management (IA-4)
The organization manages information system identifiers for users and devices by: (a) Receiving authorization from a designated organizational official to assign a user or device identifier; (b) Selecting an identifier that uniquely identifies an individual or device; (c) Assigning the user identifier to the intended party or the device identifier to the intended device; (d) Preventing reuse of user or device identifiers for [Assignment: organization-defined time period]; and IA-4d Parameter Requirements: [at least two years] (e) Disabling the user identifier after [Assignment: organization-defined time period of inactivity] IA-4e Parameter 1 Requirements: [ninety days for user identifiers] IA-4e Parameter 2 Requirements: See additional requirements and guidance. IA-4e Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines time period of inactivity for device identifiers. The time period is approved and accepted by JAB.
Page 180
<Information System Name> System Security Plan Version <0.00> / <Date> IA-4 Responsible Role: Parameter 4d: Parameter 4e: Parameter 4e Additional: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-4 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Part d
Page 181
<Information System Name> System Security Plan Version <0.00> / <Date> IA-4 What is the solution and how is it implemented? Part e
13.7.4.1.
Control Enhancement for Identifier Management
13.7.4.1.1. Control Enhancement IA-4 (4) IA-4 (4) The organization manages user identifiers by uniquely identifying the user as: [Assignment: organization-defined characteristic identifying user status] IA-4 (4) Parameter Requirements: [contractors; foreign nationals]
IA-4 (4) Responsible Role: Parameter: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-4 (4) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 182
13.7.5.
Authenticator Management (IA-5)
The organization manages information system authenticators for users and devices by: (a) Verifying, as part of the initial authenticator distribution, the identity of the individual and/or device receiving the authenticator; (b) Establishing initial authenticator content for authenticators defined by the organization; (c) Ensuring that authenticators have sufficient strength of mechanism for their intended use; (d) Establishing and implementing administrative procedures for initial authenticator distribution, for lost/compromised or damaged authenticators, and for revoking authenticators; (e) Changing default content of authenticators upon information system installation; (f) Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators (if appropriate); (g) Changing/refreshing authenticators at least every [Assignment: organization-defined time period by authenticator type]; IA-5g Parameter Requirements: [sixty days] (h) Protecting authenticator content from unauthorized disclosure and modification; and (i) Requiring users to take, and having devices implement, specific measures to safeguard authenticators.
IA-5 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Control Summary Information
Page 183
<Information System Name> System Security Plan Version <0.00> / <Date> IA-5 Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-5 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Part d
Part e
Part f
Part g
Page 184
<Information System Name> System Security Plan Version <0.00> / <Date> IA-5 What is the solution and how is it implemented? Part h
Part i
13.7.5.1.
Control Enhancements for Authenticator Management
13.7.5.1.1. Control Enhancement IA-5 (1) IA-5 (1) The information system, for password-based authentication: (a) Enforces minimum password complexity of [Assignment: organization-defined requirements for case sensitivity, number of characters, mix of upper-case letters, lower-case letters, numbers, and special characters, including minimum requirements for each type] IA-5 (1) (a) Parameter Requirements: [case sensitive, minimum of twelve characters, and at least one each of upper-case letters, lower-case letters, numbers, and special characters] IA-5 (1) (a) Additional FedRAMP Requirements and Guidance: Guidance: Mobile devices are excluded from the password complexity requirement. (b) Enforces at least a [Assignment: organization-defined number of changed characters] when new passwords are created; IA-5 (1) (b) Parameter Requirements: [at least one or as determined by the information system (where possible)] (c) Encrypts passwords in storage and in transmission; (d) Enforces password minimum and maximum lifetime restrictions of [Assignment: organization-defined numbers for lifetime minimum, lifetime maximum]; and IA-5 (1) (d) Parameter Requirements: [one day minimum, sixty day maximum] (e) Prohibits password reuse for [Assignment: organization-defined number] generations. IA-5 (1) (e) Parameter Requirements: [twenty four]
Page 185
<Information System Name> System Security Plan Version <0.00> / <Date> IA-5 (1) Responsible Role: Parameter a: Parameter b: Parameter d: Parameter e: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-5 (1) What is the solution and how is it implemented? Part a Control Enhancement Summary Information
Part b
Part c
Page 186
<Information System Name> System Security Plan Version <0.00> / <Date> IA-5 (1) What is the solution and how is it implemented? Part d
Part e
13.7.5.1.2. Control Enhancement IA-5 (2) IA-5 (2) The information system, for PKI-based authentication: (a) Validates certificates by constructing a certification path with status information to an accepted trust anchor; (b) Enforces authorized access to the corresponding private key; and (c) Maps the authenticated identity to the user account.
IA-5 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 187
<Information System Name> System Security Plan Version <0.00> / <Date> IA-5 (2) What is the solution and how is it implemented? Part a
Part b
Part c
13.7.5.1.3. Control Enhancement IA-5 (3) IA-5 (3) The organization requires that the registration process to receive [Assignment: organization-defined types of and/or specific authenticators] be carried out in person before a designated registration authority with authorization by a designated organizational official (e.g., a supervisor). IA-5 (3) Parameter Requirements: [HSPD12 smart cards]
IA-5 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 188
<Information System Name> System Security Plan Version <0.00> / <Date> IA-5 (3) What is the solution and how is it implemented?
13.7.5.1.4. Control Enhancement IA-5 (6) IA-5 (6) The organization protects authenticators commensurate with the classification or sensitivity of the information accessed.
IA-5 (6) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-5 (6) What is the solution and how is it implemented? Control Enhancement Summary Information
13.7.5.1.5. Control Enhancement IA-5 (7) IA-5 (7) The organization ensures that unencrypted static authenticators are not embedded in applications or access scripts or stored on function keys
IA-5 (7) Responsible Role: Control Enhancement Summary Information
Page 189
<Information System Name> System Security Plan Version <0.00> / <Date> IA-5 (7) Control Enhancement Summary Information
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-5 (7) What is the solution and how is it implemented?
13.7.6.
Authenticator Feedback (IA-6)
The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
IA-6 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Control Summary Information
Page 190
<Information System Name> System Security Plan Version <0.00> / <Date> IA-6 Control Summary Information Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-6 What is the solution and how is it implemented?
13.7.7.
Cryptographic Module Authentication (IA-7)
The information system uses mechanisms for authentication to a cryptographic module that meets the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
IA-7 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 191
<Information System Name> System Security Plan Version <0.00> / <Date> IA-7 What is the solution and how is it implemented?
13.7.1. Identification and Authentication (Non-Organizational Users) (IA-8)

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).
IA-8 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IA-8 What is the solution and how is it implemented? Control Summary Information
13.8. INCIDENT RESPONSE (IR) 13.8.1. Incident Response Policy and Procedures (IR-1)
Page 192
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls IR-1 Parameter Requirements: [at least annually]
IR-1 Responsible Role: Parameter: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) IR-1 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.8.2.
The organization:
Incident Response Training (IR-2)
Page 193
(a) Trains personnel in their incident response roles and responsibilities with respect to the information system; and (b) Provides refresher training [Assignment: organization-defined frequency] IR-2b Parameter Requirements: [at least annually]
IR-2 Responsible Role: Parameter: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-2 What is the solution and how is it implemented? Control Summary Information
13.8.3.
Incident Response Testing and Exercises (IR-3)
The organization tests and/or exercises the incident response capability for the information system [Assignment: organization-defined frequency] using [Assignment: organization-defined tests and/or exercises] to determine the incident response effectiveness and documents the results. IR-3 Control Parameter Requirements: Parameter 1: [annually] Parameter 2: See additional requirements and guidance
Page 194
Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines tests and/or exercises in accordance with NIST Special Publication 80061 (as amended). The service provider provides test plans to FedRAMP annually. Test plans are approved and accepted by the JAB prior to test commencing.
IR-3 Responsible Role: Parameter 1: Parameter 2: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-3 What is the solution and how is it implemented? Control Summary Information
13.8.4.
The organization:
Incident Handling (IR-4)
(a) Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery; (b) Coordinates incident handling activities with contingency planning activities; and
Page 195
(c) Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and testing/exercises, and implements the resulting changes accordingly.
IR-4 Responsible Role: Implementation Type (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-4 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Additional FedRAMP Requirements and Guidance: Requirement: The service provider ensures that individuals conducting incident handling meet personnel security requirements commensurate with the criticality/sensitivity of the information being processed, stored, and transmitted by the information system.
Page 196
<Information System Name> System Security Plan Version <0.00> / <Date> IR-4 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Configured by customer Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-4 What is the solution and how is it implemented? Control Summary Information
13.8.4.1.
Control Enhancement for Incident Handling
13.8.4.1.1. Control Enhancement IR-4 (1) IR-4 (1) The organization employs automated mechanisms to support the incident handling process.
IR-4 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Page 197 Control Enhancement Summary Information
<Information System Name> System Security Plan Version <0.00> / <Date> IR-4 (1) Control Enhancement Summary Information
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-4 (1) What is the solution and how is it implemented?
13.8.5.
Incident Monitoring (IR-5)
The organization tracks and documents information system security incidents.

IR-5 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 198
<Information System Name> System Security Plan Version <0.00> / <Date> IR-5 What is the solution and how is it implemented?
13.8.6.
The organization:
Incident Reporting (IR-6)
(a) Requires personnel to report suspected security incidents to the organizational incident response capability within [Assignment: organization-defined time period]; and IR-6a Parameter Requirements: [US-CERT incident reporting timelines as specified in NIST Special Publication 800-61 (as amended)] (b) Reports security incident information to designated authorities.
IR-6 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-6 What is the solution and how is it implemented? Control Summary Information
Page 199
<Information System Name> System Security Plan Version <0.00> / <Date> IR-6 What is the solution and how is it implemented? Part a
Part b
13.8.6.1.
Control Enhancement for Incident Reporting
13.8.6.1.1. Control Enhancement IR-6 (1) IR-6 (1) The organization employs automated mechanisms to assist in the reporting of security incidents.
IR-6 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-6 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 200
13.8.7.
Incident Response Assistance (IR-7)
The organization provides an incident response support resource, integral to the organizational incident response capability that offers advice and assistance to users of the information system for the handling and reporting of security incidents.
IR-7 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-7 What is the solution and how is it implemented? Control Summary Information
13.8.7.1.
Control Enhancements for Incident Response Assistance
13.8.7.1.1. Control Enhancement IR-7 (1) IR-7 (1) The organization employs automated mechanisms to increase the availability of incident response related information and support.
IR-7 (1) Responsible Role: Implementation Status (check all that apply): Implemented Control Enhancement Summary Information
Page 201
Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-7 (1) What is the solution and how is it implemented?
13.8.7.1.2. Control Enhancement IR-7 (2) IR-7 (2) The organization: (a) Establishes a direct, cooperative relationship between its incident response capability and external providers of information system protection capability; and (b) Identifies organizational incident response team members to the external providers.
IR-7 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid Control Enhancement Summary Information
Page 202
Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-7 (2) What is the solution and how is it implemented? Part a
Part b
13.8.8.
The organization:
Incident Response Plan (IR-8)
(a) Develops an incident response plan that: Provides the organization with a roadmap for implementing its incident response capability; Describes the structure and organization of the incident response capability; Provides a high-level approach for how the incident response capability fits into the overall organization; Meets the unique requirements of the organization, which relate to mission, size, structure, and functions; Defines reportable incidents; Provides metrics for measuring the incident response capability within the organization. Defines the resources and management support needed to effectively maintain and mature an incident response capability; and Is reviewed and approved by designated officials within the organization; (b) Distributes copies of the incident response plan to [Assignment: organization-defined list of incident response personnel (identified by name and/or by role) and organizational elements] ; IR-8b Parameter Requirements: See additional requirements and guidance.
Page 203
IR-8b Additional FedRAMP Parameter Requirements: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel. (c) Reviews the incident response plan [Assignment: organization-defined frequency]; IR-8c Parameter Requirements: [at least annually] (d) Revises the incident response plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing; and (e) Communicates incident response plan changes to [Assignment: organization-defined list of incident response personnel (identified by name and/or by role) and organizational elements] IR-8e Parameter Requirements: See additional requirements and guidance. IR-8e Additional FedRAMP Parameter Requirements: The service provider defines a list of incident response personnel (identified by name and/or by role) and organizational elements. The incident response list includes designated FedRAMP personnel.
IR-8 Responsible Role: Parameter 8b: Parameter 8c: Parameter 8e: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Control Summary Information
Page 204
<Information System Name> System Security Plan Version <0.00> / <Date> IR-8 Control Summary Information Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> IR-8 What is the solution and how is it implemented? Part a
Part b
Part c
Part d
Part e
13.9. MAINTENANCE (MA) 13.9.1. System Maintenance Policy and Procedures (MA-1)
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented information system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the information system maintenance policy and associated system maintenance controls. MA-1 Parameter Requirements: [at least annually]
Page 205
MA-1 Responsible Role: Parameter:
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) MA-1 What is the solution and how is it implemented? Part a
Part b
13.9.2.
The organization:
Controlled Maintenance (MA-2)
(a) Schedules, performs, documents, and reviews records of maintenance and repairs on information system components in accordance with manufacturer or vendor specifications and/or organizational requirements; (b) Controls all maintenance activities, whether performed on site or remotely and whether the equipment is serviced on site or removed to another location; (c) Requires that a designated official explicitly approve the removal of the information system or system components from organizational facilities for off-site maintenance or repairs;
Page 206
(d) Sanitizes equipment to remove all information from associated media prior to removal from organizational facilities for off-site maintenance or repairs; and (e) Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions.
MA-2 Responsible Role: Implementation Status (check all that apply): In place Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MA-2 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Part d
Page 207
<Information System Name> System Security Plan Version <0.00> / <Date> MA-2 What is the solution and how is it implemented? Part e
13.9.2.1.
Control Enhancements for Controlled Maintenance
13.9.2.1.1. Control Enhancement MA-2 (1) MA-2 (1) The organization maintains maintenance records for the information system that include: (a) Date and time of maintenance; (b) Name of the individual performing the maintenance; (c) Name of escort, if necessary; (d) A description of the maintenance performed; and (e) A list of equipment removed or replaced (including identification numbers, if applicable).
MA-2 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 208
<Information System Name> System Security Plan Version <0.00> / <Date> MA-2 (1) What is the solution and how is it implemented? Part a
Part b
Part c
Part d
Part e
13.9.3.
Maintenance Tools (MA-3)
The organization approves, controls, monitors the use of, and maintains on an ongoing basis, information system maintenance tools.
MA-3 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Control Summary Information
Page 209
<Information System Name> System Security Plan Version <0.00> / <Date> Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MA-3 What is the solution and how is it implemented?
13.9.3.1.
Control Enhancements for Maintenance Tools
13.9.3.1.1. Control Enhancement MA-3 (1) MA-3 (1) The organization inspects all maintenance tools carried into a facility by maintenance personnel for obvious improper modifications.
MA-3 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
MA-3 (1) What is the solution and how is it implemented?
Page 210
13.9.3.1.2. Control Enhancement MA-3 (2) MA-3 (2) The organization checks all media containing diagnostic and test programs for malicious code before the media are used in the information system.
MA-3 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MA-3 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
13.9.3.1.3. Control Enhancement MA-3 (3) MA-3 (3) The organization prevents the unauthorized removal of maintenance equipment by one of the following: (i) Verifying that there is no organizational information contained on the equipment; (ii) Sanitizing or destroying the equipment; (iii) Retaining the equipment within the facility; or (iv) Obtaining an exemption from a designated organization official explicitly authorizing removal of the equipment from the facility.
MA-3 (3) Responsible Role: Control Enhancement Summary Information
Page 211
<Information System Name> System Security Plan Version <0.00> / <Date> MA-3 (3) Control Enhancement Summary Information
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MA-3 (3) What is the solution and how is it implemented?
13.9.4.
The organization:
Remote Maintenance (MA-4)
(a) Authorizes, monitors, and controls non-local maintenance and diagnostic activities; (b) Allows the use of non-local maintenance and diagnostic tools only as consistent with organizational policy and documented in the security plan for the information system; (c) Employs strong identification and authentication techniques in the establishment of non-local maintenance and diagnostic sessions; (d) Maintains records for non-local maintenance and diagnostic activities; and (e) Terminates all sessions and network connections when non-local maintenance is completed.
MA-4 Responsible Role: Control Summary Information
Page 212
<Information System Name> System Security Plan Version <0.00> / <Date> MA-4 Control Summary Information
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MA-4 What is the solution and how is it implemented? Part a
Part b
Part c
Part d
Part e
13.9.4.1.
Control Enhancements for Remote Maintenance
Page 213
13.9.4.1.1. Control Enhancement MA-4 (1) MA-4 (1) The organization audits non-local maintenance and diagnostic sessions and designated organizational personnel review the maintenance records of the sessions.
MA-4 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MA-4 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.9.4.1.2. Control Enhancement MA-4 (2) MA-4 (2) The organization documents, in the security plan for the information system, the installation and use of non-local maintenance and diagnostic connections.
MA-4 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Enhancement Summary Information
Page 214
<Information System Name> System Security Plan Version <0.00> / <Date> MA-4 (2) Control Enhancement Summary Information
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MA-4 (2) What is the solution and how is it implemented?
13.9.5.
The organization:
Maintenance Personnel (MA-5)
(a) Establishes a process for maintenance personnel authorization and maintains a current list of authorized maintenance organizations or personnel; and (b) Ensures that personnel performing maintenance on the information system have required access authorizations or designates organizational personnel with required access authorizations and technical competence deemed necessary to supervise information system maintenance when maintenance personnel do not possess the required access authorizations.
MA-5 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Control Summary Information
Page 215
<Information System Name> System Security Plan Version <0.00> / <Date> MA-5 Control Summary Information
Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MA-5 What is the solution and how is it implemented? Part a
Part b
13.9.6.
Timely Maintenance (MA-6)
The organization obtains maintenance support and/or spare parts for security-critical information system components and/or key information technology components [Assignment: organizationdefined list of security-critical information system components and/or key information technology components] within [Assignment: organization-defined time period] MA-6 Parameter Requirements: Parameter 1: See additional requirements and guidance. Parameter 2: See additional requirements and guidance. MA-6 Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a list of security-critical information system components and/or key information technology components. The list of components is approved and accepted by the JAB. Requirement: The service provider defines a time period to obtain maintenance and spare parts in accordance with the contingency plan for the information system and business impact analysis. The time period is approved and accepted by the JAB.
MA-6 Responsible Role: Parameter 1: Control Summary Information
Page 216
<Information System Name> System Security Plan Version <0.00> / <Date> MA-6 Parameter 2: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MA-6 What is the solution and how is it implemented? Control Summary Information
13.10.
MEDIA PROTECTION (MP) Media Protection Policy and Procedures (MP-1)
13.10.1.
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the media protection policy and associated media protection controls. MP-1 Parameter Requirements: [at least annually]
MP-1 Control Summary Information
Page 217
<Information System Name> System Security Plan Version <0.00> / <Date> MP-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) MP-1 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.10.2.
Media Access (MP-2)
The organization restricts access to [Assignment: organization-defined types of digital and nondigital media ]to [Assignment: organization-defined list of authorized individuals] using [Assignment: organization-defined security measures] MP-2 Parameter Requirements: Parameter 1: See additional requirements and guidance. Parameter 2: See additional requirements and guidance. Parameter 3: See additional requirements and guidance.
MP-2 Responsible Role: Parameter 1: Control Summary Information
Page 218
<Information System Name> System Security Plan Version <0.00> / <Date> MP-2 Parameter 2: Parameter 3: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-2 What is the solution and how is it implemented? Control Summary Information
MP-2 Additional FedRAMP Requirements and Guidance: Requirement 1: The service provider defines types of digital and non-digital media. The media types are approved and accepted by the JAB. Requirement 2: The service provider defines a list of individuals with authorized access to defined media types. The list of authorized individuals is approved and accepted by the JAB. Requirement 3: The service provider defines the types of security measures to be used in protecting defined media types. The security measures are approved and accepted by the JAB.
MP-2 Responsible Role: Implementation Status (check all that apply): Implemented Additional FedRAMP Control Summary Information
Page 219
<Information System Name> System Security Plan Version <0.00> / <Date> MP-2 Additional FedRAMP Control Summary Information
Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-2 What is the solution and how is it implemented? Req. 1
Req. 2
Req. 3
13.10.2.1.
Control Enhancements for Media Access
13.10.2.1.1. Control Enhancement MP-2 (1) MP-2 (1) The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.
MP-2 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Control Enhancement Summary Information
Page 220
<Information System Name> System Security Plan Version <0.00> / <Date> MP-2 (1) Control Enhancement Summary Information
Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-2 (1) What is the solution and how is it implemented?
13.10.3.
The organization:
Media Labeling (MP-3)
(a) Marks, in accordance with organizational policies and procedures, removable information system media and information system output indicating the distribution limitations, handling caveats, and applicable security markings (if any) of the information; and (b) Exempts [Assignment: organization-defined list of removable media types] from marking as long as the exempted items remain within [Assignment: organizationdefined controlled areas] MP-3b Parameter Requirements: Parameter 1: [no removable media types] Parameter 2: [not applicable]
MP-3 Responsible Role: 3b Parameter 1: Control Summary Information
Page 221
<Information System Name> System Security Plan Version <0.00> / <Date> MP-3 3b Parameter 2: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-3 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.10.4.
The organization:
Media Storage (MP-4)
(a) Physically controls and securely stores [Assignment: organization-defined types of digital and non-digital media] within [Assignment: organization-defined controlled areas] using [Assignment: organization-defined security measures]; MP-4a Parameter Requirements: Parameter 1: [magnetic tapes, external/removable hard drives, flash/thumb drives, diskettes, compact disks and digital video disks] Parameter 2: See additional requirements and guidance. Parameter 3: [for digital media, encryption using a FIPS 140-2 validated encryption module; for non-digital media, secure storage in locked cabinets or
Page 222
safes] MP-4a Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines controlled areas within facilities where the information and information system reside. (b) Protects information system media until the media are destroyed or sanitized using approved equipment, techniques, and procedures.
MP-4 Responsible Role: 4a Parameter 1: 4a Parameter 2: 4a Parameter 3: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-4 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Page 223
13.10.4.1.
Control Enhancements for Media Storage
13.10.4.1.1. Control Enhancement MP-4 (1) MP-4 (1) The organization employs cryptographic mechanisms to protect information in storage.
MP-4 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-4 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.10.5.
The organization:
Media Transport (MP-5)
(a) Protects and controls [Assignment: organization-defined types of digital and nondigital media] during transport outside of controlled areas using [Assignment: organization-defined security measures]; MP-5a Parameter Requirements: Parameter 1: [magnetic tapes, external/removable hard drives, flash/thumb drives, diskettes, compact disks and digital video disks] Parameter 2: [for digital media, encryption using a FIPS 140-2 validated encryption module]
Page 224
MP-5a Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines security measures to protect digital and non-digital media in transport. The security measures are approved and accepted by the JAB. (b) Maintains accountability for information system media during transport outside of controlled areas; and (c) Restricts the activities associated with transport of such media to authorized personnel.
MP-5 Responsible Role: 5a Parameter 1: 5a Parameter 2: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-5 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Page 225
<Information System Name> System Security Plan Version <0.00> / <Date> MP-5 What is the solution and how is it implemented? Part c
13.10.5.1.
Control Enhancements for Media Transport
13.10.5.1.1. Control Enhancement MP-5 (2) MP-5 (2) The organization documents activities associated with the transport of information system media.
MP-5 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-5 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
13.10.5.1.2. Control Enhancement MP-5 (4) MP-5 (4) The organization employs cryptographic mechanisms to protect the confidentiality and integrity of information stored on digital media during transport outside of controlled areas.
Page 226
<Information System Name> System Security Plan Version <0.00> / <Date> MP-5 (4) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-5 (4) What is the solution and how is it implemented? Control Enhancement Summary Information
13.10.6.
The organization:
Media Sanitization and Disposal (MP-6)
(a) Sanitizes information system media, both digital and non-digital, prior to disposal, release out of organizational control, or release for reuse; and (b) Employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information.
MP-6 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Control Summary Information
Page 227
<Information System Name> System Security Plan Version <0.00> / <Date> MP-6 Control Summary Information
Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-6 What is the solution and how is it implemented? Part a
Part b
13.10.6.1.1. Control Enhancement MP-6 (4) MP-6 (4) No variables. The organization sanitizes information system media containing Controlled Unclassified Information (CUI) or other sensitive information in accordance with applicable organizational and/or federal standards and policies.
MP-6 (4) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Control Enhancement Summary Information
Page 228
<Information System Name> System Security Plan Version <0.00> / <Date> MP-6 (4) Control Enhancement Summary Information
Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> MP-6 (4) What is the solution and how is it implemented?
13.11.
PHYSICAL AND ENVIRONMENTAL PROTECTION (PE)
13.11.1. Physical and Environmental Protection Policy and Procedures (PE-1)

The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls. PE-1 Parameter Requirements: [at least annually]
PE-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Summary Information
Page 229
<Information System Name> System Security Plan Version <0.00> / <Date> PE-1 Control Summary Information
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) PE-1 What is the solution and how is it implemented? Part a
Part b
13.11.2.
The organization:
Physical Access Authorizations (PE-2)
(a) Develops and keeps current a list of personnel with authorized access to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); (b) Issues authorization credentials; (c) Reviews and approves the access list and authorization credentials [Assignment: organization-defined frequency], removing from the access list personnel no longer requiring access. PE-2c Parameter Requirements: [at least annually]
PE-2 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Summary Information
Page 230
<Information System Name> System Security Plan Version <0.00> / <Date> PE-2 Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-2 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
13.11.3.
The organization:
Physical Access Control (PE-3)
(a) Enforces physical access authorizations for all physical access points (including designated entry/exit points) to the facility where the information system resides (excluding those areas within the facility officially designated as publicly accessible); (b) Verifies individual access authorizations before granting access to the facility; (c) Controls entry to the facility containing the information system using physical access devices and/or guards; (d) Controls access to areas officially designated as publicly accessible in accordance with the organizations assessment of risk;
Page 231
(e) Secures keys, combinations, and other physical access devices; (f) Inventories physical access devices [Assignment: organization-defined frequency]; and PE-3f Parameter Requirements: [at least annually] (g) Changes combinations and keys [Assignment: organization-defined frequency] and when keys are lost, combinations are compromised, or individuals are transferred or terminated. PE-3g Parameter Requirements: [at least annually]
PE-3 Responsible Role: Parameter 3f: Parameter 3g: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-3 What is the solution and how is it implemented? Part a Control Enhancement Summary Information
Page 232
<Information System Name> System Security Plan Version <0.00> / <Date> PE-3 What is the solution and how is it implemented? Part b
Part c
Part d
Part e
Part f
Part g
13.11.4.
Access Control for Transmission Medium (PE-4)
The organization controls physical access to information system distribution and transmission lines within organizational facilities.
PE-4 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Enhancement Summary Information
Page 233
<Information System Name> System Security Plan Version <0.00> / <Date> PE-4 Control Enhancement Summary Information
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-4 What is the solution and how is it implemented?
13.11.5.
Access Control for Display Medium (PE-5)
The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.
PE-5 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 234
<Information System Name> System Security Plan Version <0.00> / <Date> PE-5 What is the solution and how is it implemented?
13.11.6.
The organization:
Monitoring Physical Access (PE-6)
(a) Monitors physical access to the information system to detect and respond to physical security incidents; (b) Reviews physical access logs [Assignment: organization-defined frequency]; and PE-6b Parameter Requirements: [at least semi-annually] (c) Coordinates results of reviews and investigations with the organizations incident response capability.
PE-6 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-6 What is the solution and how is it implemented? Control Summary Information
Page 235
<Information System Name> System Security Plan Version <0.00> / <Date> PE-6 What is the solution and how is it implemented? Part a
Part b
Part c
13.11.6.1.
Control Enhancements for Monitoring Physical Access
13.11.6.1.1. Control Enhancement PE-6 (1) PE-6 (1) The organization monitors real-time physical intrusion alarms and surveillance equipment.
PE-6 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Hybrid (Service Provider and Customer) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 236
<Information System Name> System Security Plan Version <0.00> / <Date> PE-6 (1) What is the solution and how is it implemented?
13.11.7.
Visitor Control (PE-7)
The organization controls physical access to the information system by authenticating visitors before authorizing access to the facility where the information system resides other than areas designated as publicly accessible.
PE-7 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-7 What is the solution and how is it implemented? Control Summary Information
13.11.7.1.
Control Enhancements for Visitor Control
13.11.7.1.1. Control Enhancement PE-7 (1) PE-7 (1) The organization escorts visitors and monitors visitor activity, when required.
Page 237
<Information System Name> System Security Plan Version <0.00> / <Date> PE-7 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-7 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.11.8.
The organization:
Access Records (PE-8)
(a) Maintains visitor access records to the facility where the information system resides (except for those areas within the facility officially designated as publicly accessible); and (b) Reviews visitor access records [Assignment: organization-defined frequency] PE-8b Parameter Requirements:[at least monthly]
PE-8 Responsible Role: Parameter: Implementation Status (check all that apply): Control Summary Information
Page 238
Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-8 What is the solution and how is it implemented? Part a
Part b
13.11.9.
Power Equipment and Power Cabling (PE-9)
The organization protects power equipment and power cabling for the information system from damage and destruction.
PE-9 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Control Summary Information
Page 239
Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-9 What is the solution and how is it implemented?
13.11.10.
The organization:
Emergency Shutoff (PE-10)
(a) Provides the capability of shutting off power to the information system or individual system components in emergency situations; (b) Places emergency shutoff switches or devices in [Assignment: organizationdefined location by information system or system component] location by information system or system component, to facilitate safe and easy access for personnel; and (c) Protects emergency power shutoff capability from unauthorized activation. 10b Parameter Requirements: See additional requirements and guidance. 10b Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines emergency shutoff switch locations. The locations are approved and accepted by the JAB.
PE-10 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Control Summary Information
Page 240
Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-10 What is the solution and how is it implemented? Part a
Part b
Part c
13.11.11.
Emergency Power (PE-11)
The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information system in the event of a primary power source loss.
PE-11 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Summary Information
Page 241
<Information System Name> System Security Plan Version <0.00> / <Date> PE-11 Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-11 What is the solution and how is it implemented? Control Summary Information
13.11.12.
Emergency Lighting (PE-12)
The organization employs and maintains automatic emergency lighting for the information system that activates in the event of a power outage or disruption and that covers emergency exits and evacuation routes within the facility.
PE-12 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 242
PE-12 What is the solution and how is it implemented?
13.11.13.
Fire Protection (PE-13)
The organization employs and maintains fire suppression and detection devices/systems for the information system that are supported by an independent energy source.
Page 243
13.11.13.1.
Control Enhancements for Fire Protection
13.11.13.1.1. Control Enhancement PE-13 (1) PE-13 (1) The organization employs fire detection devices/systems for the information system that activate automatically and notify the organization and emergency responders in the event of a fire.
PE-13 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-13 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.11.13.1.2. Control Enhancement PE-13 (2) PE-13 (2) The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to the organization and emergency responders.
PE-13 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Control Summary Information
Page 244
<Information System Name> System Security Plan Version <0.00> / <Date> PE-13 (2) Control Summary Information
Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-13 (2) What is the solution and how is it implemented?
13.11.13.1.3. Control Enhancement PE-13 (3) PE-13 (3) The organization employs an automatic fire suppression capability for the information system when the facility is not staffed on a continuous basis.
PE-13 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 245
<Information System Name> System Security Plan Version <0.00> / <Date> PE-13 (3) What is the solution and how is it implemented?
13.11.14.
The organization:
Temperature and Humidity Controls (PE-14)
(a) Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and PE-14a Parameter Requirements: [consistent with American Society of Heating, Refrigerating and Air-conditioning Engineers (ASHRAE) document entitled Thermal Guidelines for Data Processing Environments] PE-14a Additional FedRAMP Parameter Requirements: The service provider measures temperature at server inlets and humidity levels by dew point. (b) Monitors temperature and humidity levels [Assignment: organization-defined frequency] PE-14b Parameter Requirements: [continuously]
PE-14 Responsible Role: Parameter 14a: Parameter 14a Additional: Parameter 14b: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Control Summary Information
Page 246
Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-14 What is the solution and how is it implemented?
13.11.15.
Water Damage Protection (PE-15)
The organization protects the information system from damage resulting from water leakage by providing master shutoff valves that are accessible, working properly, and known to key personnel.
Page 247
13.11.16.
Delivery and Removal (PE-16)
The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system components] entering and exiting the facility and maintains records of those items. PE-16 Parameter Requirements: [all information system components]
13.11.17.
The organization:
Alternate Work Site (PE-17)
Page 248
(a) Employs control requirements, as per [Assignment: organization-defined management, operational, and technical information system security controls] at alternate work sites; PE-17a Parameter Requirements: See additional requirements and guidance. PE-17a Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines management, operational, and technical information system security controls for alternate work sites. The security controls are approved and accepted by the JAB. (b) Assesses as feasible, the effectiveness of security controls at alternate work sites; and (c) Provides a means for employees to communicate with information security personnel in case of security incidents or problems.
PE-17 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PE-17 What is the solution and how is it implemented? Part a Control Summary Information
Page 249
<Information System Name> System Security Plan Version <0.00> / <Date> PE-17 What is the solution and how is it implemented? Part b
Part c
13.11.18.
Location of Information System Components (PE-18)
The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.
Page 250
13.12.
PLANNING (PL) Security Planning Policy and Procedures (PL-1)
13.12.1.
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency] (a) A formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls. PL-1 Parameter Requirements: [at least annually]
PL-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Control Summary Information
Page 251
<Information System Name> System Security Plan Version <0.00> / <Date> PL-1 What is the solution and how is it implemented? Part a
Part b
13.12.2.
The organization:
System Security Plan (PL-2)
(a) Develops a security plan for the information system that:

Is consistent with the organizations enterprise architecture; Explicitly defines the authorization boundary for the system; Describes the operational context of the information system in terms of missions and business processes; Provides the security categorization of the information system including supporting rationale; Describes the operational environment for the information system; Describes relationships with or connections to other information systems; Provides an overview of the security requirements for the system; Describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and Is reviewed and approved by the authorizing official or designated representative prior to plan implementation;
(b) Reviews the security plan for the information system [Assignment: organizationdefined frequency]; and PL-2b Parameter Requirements:[at least annually] (c) Updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments.
PL-2 Responsible Role: Control Summary Information
Page 252
<Information System Name> System Security Plan Version <0.00> / <Date> PL-2 Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PL-2 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
13.12.3.
The organization:
Rules of Behavior (PL-4)
(a) Establishes and makes readily available to all information system users, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; and
Page 253
(b) Receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system
PL-4 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PL-4 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.12.4.
Privacy Impact Assessment (PL-5)
The organization conducts a privacy impact assessment on the information system in accordance with OMB policy.
PL-5 Responsible Role: Implementation Status (check all that apply): Control Summary Information
Page 254
<Information System Name> System Security Plan Version <0.00> / <Date> PL-5 Control Summary Information
Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PL-5 What is the solution and how is it implemented?
13.12.5.
Security-Related Activity Planning (PL-6)
The organization plans and coordinates security-related activities affecting the information system before conducting such activities in order to reduce the impact on organizational operations (i.e., mission, functions, image, and reputation), organizational assets, and individuals.
PL-6 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Control Summary Information
Page 255
<Information System Name> System Security Plan Version <0.00> / <Date> PL-6 Control Summary Information
Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PL-6 What is the solution and how is it implemented?
13.13.
PERSONNEL SECURITY (PS) Personnel Security Policy and Procedures (PS-1)
13.13.1.
The organization develops, disseminates, and reviews [Assignment: organization-defined frequency]: (a) A formal, documented personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the personnel security policy and associated personnel security controls. PS-1 Parameter Requirements: [at least annually]
PS-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Control Summary Information
Page 256
<Information System Name> System Security Plan Version <0.00> / <Date> PS-1 Control Summary Information
Service Provider Hybrid (Corporate and System Specific)
PS-1 What is the solution and how is it implemented? Part a
Part b
13.13.2.
The organization:
Position Categorization (PS-2)
(a) Assigns a risk designation to all positions; (b) Establishes screening criteria for individuals filling those positions; and (c) Reviews and revises position risk designations [Assignment: organization-defined frequency]. PS-2c Parameter Requirements:[at least every three years]
PS-2 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Control Summary Information
Page 257
<Information System Name> System Security Plan Version <0.00> / <Date> PS-2 Control Summary Information
Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PS-2 What is the solution and how is it implemented? Part a
Part b
Part c
13.13.3.
The organization:
Personnel Screening (PS-3)
(a) Screens individuals prior to authorizing access to the information system; and (b) Rescreens individuals according to [Assignment: organization-defined list of conditions requiring rescreening and, where re-screening is so indicated, the frequency of such rescreening] PS-3b Parameter Requirements: [for national security clearances; a reinvestigation is required during the 5th year for top secret security clearance, the 10th year for secret security clearance, and 15th year for confidential security clearance. For moderate risk law enforcement and high impact public trust level, a reinvestigation is required during the 5th year. There is no reinvestigation for other moderate risk positions or any low risk positions]
13.13.4.
Personnel Termination (PS-4)
The organization, upon termination of individual employment: (a) Terminates information system access;
Page 258
(b) Conducts exit interviews; (c) Retrieves all security-related organizational information system-related property; and (d) Retains access to organizational information and information systems formerly controlled by terminated individual.
PS-4 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> PS-4 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Page 259
<Information System Name> System Security Plan Version <0.00> / <Date> PS-4 What is the solution and how is it implemented? Part d
13.13.5.
Personnel Transfer (PS-5)
The organization reviews logical and physical access authorizations to information systems/facilities when personnel are reassigned or transferred to other positions within the organization and initiates [Assignment: organization-defined transfer or reassignment actions] within [Assignment: organization-defined time period following the formal transfer action]. PS-5 Parameter Requirements: Parameter 1: See additional requirements and guidance. Parameter 2: [within five days] PS-5 Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines transfer or reassignment actions. Transfer or reassignment actions are approved and accepted by the JAB.
PS-5 Responsible Role: Parameter 1: Parameter 2: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 260
<Information System Name> System Security Plan Version <0.00> / <Date> PS-5 What is the solution and how is it implemented?
13.13.6.
The organization:
Access Agreements (PS-6)
(a) Ensures that individuals requiring access to organizational information and information systems sign appropriate access agreements prior to being granted access; and (b) Reviews/updates the access agreements [Assignment: organization-defined frequency] PS-6b Parameter Requirements: [at least annually]
PS-6 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 261
<Information System Name> System Security Plan Version <0.00> / <Date> PS-6 What is the solution and how is it implemented? Part a
Part b
13.13.7.
The organization:
Third-Party Personnel Security (PS-7)
(a) Establishes personnel security requirements including security roles and responsibilities for third-party providers; (b) Documents personnel security requirements; and (c) Monitors provider compliance.
PS-7 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 262
<Information System Name> System Security Plan Version <0.00> / <Date> PS-7 What is the solution and how is it implemented? Part a
Part b
Part c
13.13.8.
Personnel Sanctions (PS-8)
The organization employs a formal sanctions process for personnel failing to comply with established information security policies and procedures.
PS-8 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 263
<Information System Name> System Security Plan Version <0.00> / <Date> PS-8 What is the solution and how is it implemented?
13.14.
RISK ASSESSMENT (RA) Risk Assessment Policy and Procedures (RA-1)
13.14.1.
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. RA-1 Parameter Requirements: [at least annually]
RA-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Control Summary Information
Page 264
<Information System Name> System Security Plan Version <0.00> / <Date> RA-1 What is the solution and how is it implemented? Part a
Part b
13.14.2.
The organization:
Security Categorization (RA-2)
(a) Categorizes information and the information system in accordance with applicable Federal Laws, Executive Orders, directives, policies, regulations, standards, and guidance; (b) Documents the security categorization results (including supporting rationale) in the security plan for the information system; and (c) Ensures the security categorization decision is reviewed and approved by the Authorizing Official or authorizing official designated representative.
RA-2 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 265
<Information System Name> System Security Plan Version <0.00> / <Date> RA-2 What is the solution and how is it implemented? Part a
Part b
Part c
13.14.3.
The organization:
Risk Assessment (RA-3)
(a) Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits; (b) Documents risk assessment results in [Selection: security plan; risk assessment report; [Assignment: organization-defined document]] RA-3b Parameter Requirements: [security assessment report] (c) Reviews risk assessment results [Assignment: organization-defined frequency]; and RA-3c Parameter Requirements: [at least every three years or when a significant change occurs] (d) Updates the risk assessment [Assignment: organization-defined frequency] or, whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security state of the system. RA-3d Parameter Requirements: [at least every three years or when a significant change occurs]
Page 266
Note: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F
RA-3 Responsible Role: Parameter 3b: Parameter 3c: Parameter 3d:
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> RA-3 What is the solution and how is it implemented? Part a
Part b
Part c
Page 267
<Information System Name> System Security Plan Version <0.00> / <Date> RA-3 What is the solution and how is it implemented? Part d
13.14.4.
The organization:
Vulnerability Scanning (RA-5)
(a) Scans for vulnerabilities in the information system and hosted applications [Assignment: organization-defined frequency and/or randomly in accordance with organization-defined process] and when new vulnerabilities potentially affecting the system/applications are identified and reported; RA-5a Parameter Requirements: [monthly operating system/infrastructure; quarterly web applications and databases] (b) Employs vulnerability scanning tools and techniques that promote interoperability among tools and automate parts of the vulnerability management process by using standards for: Enumerating platforms, software flaws, and improper configurations; Formatting and making transparent, checklists and test procedures; and Measuring vulnerability impact; (c) Analyzes vulnerability scan reports and results from security control assessments; (d) Remediates legitimate vulnerabilities; [Assignment: organization-defined response times], in accordance with an organizational assessment of risk; and RA-5d Parameter Requirements: [high-risk vulnerabilities mitigated within thirty days; moderate risk vulnerabilities mitigated within ninety days] (e) Shares information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout the organization to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).
RA-5 Responsible Role: Parameter 5a: Control Summary Information
Page 268
<Information System Name> System Security Plan Version <0.00> / <Date> RA-5 Parameter 5d: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> RA-5 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Part d
Part e
Page 269
13.14.4.1.
Control Enhancements for Vulnerability Scanning
13.14.4.1.1. Control Enhancement RA-5 (1) RA-5 (1) The organization employs vulnerability scanning tools that include the capability to readily update the list of information system vulnerabilities scanned.
RA-5 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> RA-5 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.14.4.1.2. Control Enhancement RA-5 (2) RA-5 (2) The organization updates the list of information system vulnerabilities scanned [Assignment: organization-defined frequency] or when new vulnerabilities are identified and reported. RA-5(2) Parameter Requirements: [continuously, before each scan]
RA-5 (2) Responsible Role: Implementation Status (check all that apply): Implemented Control Enhancement Summary Information
Page 270
<Information System Name> System Security Plan Version <0.00> / <Date> RA-5 (2) Control Enhancement Summary Information
Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> RA-5 (2) What is the solution and how is it implemented?
13.14.4.1.3. Control Enhancement RA-5 (3) RA-5 (3) The organization employs vulnerability scanning procedures that can demonstrate the breadth and depth of coverage (i.e., information system components scanned and vulnerabilities checked).
RA-5 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Control Enhancement Summary Information
Page 271
RA-5 (3) What is the solution and how is it implemented?
13.14.4.1.4. Control Enhancement RA-5 (5) RA-5(5) The organization includes privileged access authorization to [Assignment: organizationidentified information system components] for selected vulnerability scanning activities to facilitate more thorough scanning. RA-5(5) Parameter Requirements: operating systems/infrastructure, databases, web applications.
Page 272
13.14.4.1.5. Control Enhancement RA-5 (6) RA-5 (6) The organization employs automated mechanisms to compare the results of vulnerability scans over time to determine trends in information system vulnerabilities.
13.14.4.1.6. Control Enhancement RA-5 (9) RA-5 (9) The organization employs an independent penetration agent or penetration team to: (a) Conduct a vulnerability analysis on the information system; and (b) Perform penetration testing on the information system based on the vulnerability analysis to determine the exploitability of identified vulnerabilities.
RA-5 (9) Responsible Role: Implementation Status (check all that apply): Implemented Control Enhancement Summary Information
Page 273
Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA>
RA-5 (9) What is the solution and how is it implemented?
13.15.
SYSTEM AND SERVICES ACQUISITION (SA) System and Services Acquisition Policy and Procedures (SA-1)
13.15.1.
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls. SA-1 Parameter Requirements:[at least annually]
Page 274
<Information System Name> System Security Plan Version <0.00> / <Date> SA-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) SA-1 What is the solution and how is it implemented? Control Summary Information
13.15.2.
The organization:
Allocation of Resources (SA-2)
(a) Includes a determination of information security requirements for the information system in mission/business process planning; (b) Determines, documents, and allocates the resources required to protect the information system as part of its capital planning and investment control process; and (c) Establishes a discrete line item for information security in organizational programming and budgeting documentation.
SA-2 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Control Summary Information
Page 275
<Information System Name> System Security Plan Version <0.00> / <Date> SA-2 Control Summary Information
Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-2 What is the solution and how is it implemented? Part a
Part b
Part c
13.15.3.
The organization:
Life Cycle Support (SA-3)
(a) Manages the information system using a system development life cycle methodology that Includes information security considerations; (b) Defines and documents information system security roles and responsibilities throughout the system development life cycle; and (c) Identifies individuals having information system security roles and responsibilities.
SA-3 Responsible Role: Control Summary Information
Page 276
<Information System Name> System Security Plan Version <0.00> / <Date> SA-3 Control Summary Information
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-3 What is the solution and how is it implemented? Part a
Part b
Part c
13.15.4.
Acquisitions (SA-4)
The organization includes the following requirements and/or specifications, explicitly or by reference, in information system acquisition contracts based on an assessment of risk and accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards: (a) Security functional requirements/specifications; (b) Security-related documentation requirements; and
Page 277
(c) Developmental and evaluation-related assurance requirements Additional FedRAMP Requirements and Guidance: Guidance: The use of Common Criteria (ISO/IEC 15408) evaluated products is strongly preferred. See http://www.niapccevs.org/vpl or http://www.commoncriteriaportal.org/products.html.
SA-4 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-4 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
13.15.4.1.
Control Enhancements for Acquisitions
Page 278
13.15.4.1.1. Control Enhancement SA-4 (1) SA-4 (1) The organization requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls.
SA-4 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-4 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.15.4.1.2. Control Enhancement SA-4 (4) SA-4 (4) The organization ensures that each information system component acquired is explicitly assigned to an information system, and that the owner of the system acknowledges this assignment.
SA-4 (4) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Control Enhancement Summary Information
Page 279
<Information System Name> System Security Plan Version <0.00> / <Date> SA-4 (4) Control Enhancement Summary Information
Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-4 (4) What is the solution and how is it implemented?
13.15.4.1.3. Control Enhancement SA-4 (7) SA-4 (7) The organization: (a) Limits the use of commercially provided information technology products to those products that have been successfully evaluated against a validated U.S. Government Protection Profile for a specific technology type, if such a profile exists; and (b) Requires, if no U.S. Government Protection Profile exists for a specific technology type but a commercially provided information technology product relies on cryptographic functionality to enforce its security policy, then the cryptographic module is FIPS-validated.
SA-4 (7) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Control Enhancement Summary Information
Page 280
Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-4 What is the solution and how is it implemented? Part a
Part b
13.15.5.
The organization:
Information System Documentation (SA-5)
(a) Obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes: Secure configuration, installation, and operation of the information system; Effective use and maintenance of security features/functions; and Known vulnerabilities regarding configuration and use of administrative (i.e., privileged) functions; and (b) Obtains, protects as required, and makes available to authorized personnel, user documentation for the information system that describes: User-accessible security features/functions and how to effectively use those security features/functions; Methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and User responsibilities in maintaining the security of the information and information system; and Documents attempts to obtain information system documentation when such documentation is either unavailable or nonexistent.
SA-5 Control Enhancement Summary Information
Page 281
<Information System Name> System Security Plan Version <0.00> / <Date> SA-5 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-3 What is the solution and how is it implemented? Part a Control Enhancement Summary Information
Part b
13.15.5.1.1. Control Enhancement SA-5 (1) SA-5 (1) The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing.
SA-5 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Control Enhancement Summary Information
Page 282
Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-5 (1) What is the solution and how is it implemented?
13.15.5.1.2. Control Enhancement SA-5 (3) SA-5 (3) The organization obtains, protects as required, and makes available to authorized personnel, vendor/manufacturer documentation that describes the high-level design of the information system in terms of subsystems and implementation details of the security controls employed within the system with sufficient detail to permit analysis and testing.
SA-5 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 283
SA-5 (3) What is the solution and how is it implemented?
13.15.6.
The organization:
Software Usage Restrictions (SA-6)
(a) Uses software and associated documentation in accordance with contract agreements and copyright laws; (b) Employs tracking systems for software and associated documentation protected by quantity licenses to control copying and distribution; and (c) Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
SA-6 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-6 What is the solution and how is it implemented? Control Enhancement Summary Information
Page 284
<Information System Name> System Security Plan Version <0.00> / <Date> SA-6 What is the solution and how is it implemented? Part a
Part b
Part c
13.15.7.
User Installed Software (SA-7)
The organization enforces explicit rules governing the installation of software by users.
SA-7 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-7 What is the solution and how is it implemented? Control Summary Information
Page 285
13.15.8.
Security Engineering Principles (SA-8)
The organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the information system.
SA-8 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-8 What is the solution and how is it implemented? Control Summary Information
13.15.9.
The organization:
External Information System Services (SA-9)
(a) Requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance; (b) Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
Page 286
(c) Monitors security control compliance by external service providers.

Part b
Part c
13.15.9.1.1. Control Enhancement SA-9 (1) SA-9 (1) The organization: (a) Conducts an organizational assessment of risk prior to the acquisition or outsourcing of dedicated information security services; and (b) Ensures that the acquisition or outsourcing of dedicated information security services is approved by [Assignment: organization-defined senior organizational official].
Page 287
SA-9 (1) (b) Parameter Requirements: [Joint Authorization Board (JAB)]

SA-9 (1) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-9 (1) What is the solution and how is it implemented? Part a Control Enhancement Summary Information
Part b
SA-9 (1) Additional FedRAMP Requirements and Guidance: Requirement: The service provider documents all existing outsourced security services and conducts a risk assessment of future outsourced security services. Future, planned outsourced services are approved and accepted by the JAB.
SA-9 (1) Responsible Role: Additional FedRAMP Control Summary Information
Page 288
<Information System Name> System Security Plan Version <0.00> / <Date> SA-9 (1) Additional FedRAMP Control Summary Information
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-9 (1) What is the solution and how is it implemented?
13.15.10.
Developer Configuration Management (SA-10)
The organization requires that information system developers/integrators: (a) Perform configuration management during information system design, development, implementation, and operation; (b) Manage and control changes to the information system; (c) Implement only organization-approved changes; (d) Document approved changes to the information system; and (e) Track security flaws and flaw resolution.
SA-10 Responsible Role: Parameter: Control Summary Information
Page 289
<Information System Name> System Security Plan Version <0.00> / <Date> SA-10 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-10 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Part d
Part e
Page 290
13.15.11.
Developer Security Testing (SA-11)
The organization requires that information system developers/integrators, in consultation with associated security personnel (including security engineers): (a) Create and implement a security test and evaluation plan; (b) Implement a verifiable flaw remediation process to correct weaknesses and deficiencies identified during the security testing and evaluation process; and (c) Document the results of the security testing/evaluation and flaw remediation processes.
Part b
Page 291
<Information System Name> System Security Plan Version <0.00> / <Date> SA-11 What is the solution and how is it implemented? Part c
13.15.11.1.
Control Enhancements for Developer Security Testing
13.15.11.1.1. Control Enhancement SA-11 (1) SA-11 (1) The service provider submits a code analysis report as part of the authorization package and updates the report in any reauthorization actions. The service provider documents in the Continuous Monitoring Plan, how newly-developed code for the information system is reviewed.
SA-11 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-11 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
SA-11 (1) Additional FedRAMP Requirements and Guidance: Requirement 1: The service provider submits a code analysis report as part of the authorization package and updates the report in any reauthorization actions.
Page 292
Requirement 2: The service provider documents in the Continuous Monitoring Plan, how newlydeveloped code for the information system is reviewed.
SA-11 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-11 (1) What is the solution and how is it implemented? Req. 1 Additional FedRAMP Control Summary Information
Req. 2
13.15.12.
Supply Chain Protection (SA-12)
The organization protects against supply chain threats by employing: [Assignment: organization-defined list of measures to protect against supply chain threats] as part of a comprehensive, defense-in-breadth information security strategy. SA-12 Parameter Requirements: See additional requirements and guidance. SA-12 Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a list of measures to protect against supply chain threats. The list of protective measures is approved and accepted by JAB.
Page 293
SA-12 Responsible Role: Parameter:
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SA-12 What is the solution and how is it implemented?
13.16.
SYSTEM AND COMMUNICATIONS PROTECTION (SC)
13.16.1. System & Communications Protection Policy and Procedures (SC-1)

The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.
Page 294
SC-1 Parameter Requirement: [at least annually]

SC-1 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) SC-1 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.16.2.
Application Partitioning (SC-2)
The information system separates user functionality (including user interface services) from information system management functionality.
SC-2 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Control Summary Information
Page 295
<Information System Name> System Security Plan Version <0.00> / <Date> SC-2 Control Summary Information
Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-2 What is the solution and how is it implemented?
13.16.3.
Information In Shared Resources (SC-4)
The information system prevents unauthorized and unintended information transfer via shared system resources.
SC-4 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 296
<Information System Name> System Security Plan Version <0.00> / <Date> SC-4 What is the solution and how is it implemented?
13.16.4.
Denial of Service Protection (SC-5)
The information system protects against or limits the effects of the following types of denial of service attacks: [Assignment: organization-defined list of types of denial of service attacks or reference to source for current list] SC-5 Parameter Requirements: See additional requirements and guidance. SC-5 Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a list of types of denial of service attacks (including but not limited to flooding attacks and software/logic attacks) or provides a reference to source for current list. The list of denial of service attack types is approved and accepted by JAB.
SC-5 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 297
<Information System Name> System Security Plan Version <0.00> / <Date> SC-5 What is the solution and how is it implemented?
13.16.5.
Resource Priority (SC-6)
The information system limits the use of resources by priority.

SC-6 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-6 What is the solution and how is it implemented? Control Summary Information
13.16.6.
Boundary Protection (SC-7)
The information system: (a) Monitors and controls communications at the external boundary of the system and at key internal boundaries within the system; and
Page 298
(b) Connects to external networks or information systems only through managed interfaces consisting of boundary protection devices arranged in accordance with organizational security architecture.
SC-7 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-7 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.16.6.1.
Control Enhancements for Boundary Protection
13.16.6.1.1. Control Enhancement SC-7 (1) SC-7 (1) The organization physically allocates publicly accessible information system components to separate sub-networks with separate physical network interfaces.
SC-7 (1) Responsible Role: Control Enhancement Summary Information
Page 299
<Information System Name> System Security Plan Version <0.00> / <Date> SC-7 (1) Control Enhancement Summary Information
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Hybrid (Service Provider and Customer) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-7 (1) What is the solution and how is it implemented?
SC-7 (1) Additional FedRAMP Requirements and Guidance: The service provider and service consumer ensure that federal information (other than unrestricted information) being transmitted from federal government entities to external entities using information systems providing cloud services is inspected by Trusted Internet Connection (TIC) processes.
SC-7 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Additional Control Enhancement Summary Information
Page 300
<Information System Name> System Security Plan Version <0.00> / <Date> SC-7 (1) Additional Control Enhancement Summary Information
Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-7 (1) What is the solution and how is it implemented?
13.16.6.1.2. Control Enhancement SC-7 (2) SC-7 (2) The information system prevents public access into the organizations internal networks except as appropriately mediated by managed interfaces employing boundary protection devices.
SC-7 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-7 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 301
13.16.6.1.3. Control Enhancement SC-7 (3) SC-7 (3) The organization limits the number of access points to the information system to allow for more comprehensive monitoring of inbound and outbound communications and network traffic.
SC-7 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-7 (3) What is the solution and how is it implemented? Control Enhancement Summary Information
13.16.6.1.4. Control Enhancement SC-7 (4) SC-7 (4) The organization: (a) Implements a managed interface for each external telecommunication service; (b) Establishes a traffic flow policy for each managed interface; (c) Employs security controls as needed to protect the confidentiality and integrity of the information being transmitted; (c) Documents each exception to the traffic flow policy with a supporting mission/business need and duration of that need;
Page 302
(d) Reviews exceptions to the traffic flow policy [Assignment: organization-defined frequency]and (e) Removes traffic flow policy exceptions that are no longer supported by an explicit mission/business need. SC-7 (4)(e) Parameter Requirement: [at least annually]
SC-7 (4) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-7 (4) What is the solution and how is it implemented? Part a Control Enhancement Summary Information
Part b
Part c
Page 303
<Information System Name> System Security Plan Version <0.00> / <Date> SC-7 (4) What is the solution and how is it implemented? Part d
Part e
13.16.6.1.5. Control Enhancement SC-7 (5) SC-7 (5) The information system at managed interfaces, denies network traffic by default and allows network traffic by exception (i.e., deny all, permit by exception).
Page 304
13.16.6.1.6. Control Enhancement SC-7 (7) SC-7 (7) The information system prevents remote devices that have established a non-remote connection with the system from communicating outside of that communications path with resources in external networks.
SC-7 (7) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination: Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-7 (7) What is the solution and how is it implemented? Control Enhancement Summary Information
13.16.6.1.7. Control Enhancement SC-7 (8) SC-7 (8) The information system routes [Assignment: organization-defined internal communications traffic]to [Assignment: organization-defined external networks] through authenticated proxy servers within the managed interfaces of boundary protection devices. SC-7 (8) Parameter Requirements: Parameter 1: See additional requirements and guidance. Parameter 2: See additional requirements and guidance. SC-7 (8) Additional FedRAMP Requirements and Guidance: Requirements: The service provider defines the internal communications traffic to be routed by the information system through authenticated proxy servers and the external networks that are the prospective destination of such traffic routing. The internal communications traffic and external networks are approved and accepted by JAB.
Page 305
SC-7 (8) Responsible Role: Parameter 1: Parameter 2:
Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-7 (8) What is the solution and how is it implemented?
13.16.6.1.8. Control Enhancement SC-7 (12) SC-7 (12) The information system implements host-based boundary protection mechanisms for servers, workstations, and mobile devices.
SC-7 (12) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Enhancement Summary Information
Page 306
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-7 (12) What is the solution and how is it implemented?
13.16.6.1.9. Control Enhancement SC-7 (13) SC-7 (13) The organization isolates [Assignment: organization-defined key information security tools, mechanisms, and support components] from other internal information system components via physically or logically separate subnets with managed interfaces to other portions of the system. SC-7 (13) Parameter Requirement: See additional requirements and guidance. SC-7 (13) Additional FedRAMP Requirements and Guidance: Parameter Requirement: The service provider defines key information security tools, mechanisms, and support components associated with system and security administration and isolates those tools, mechanisms, and support components from other internal information system components via physically or logically separate subnets.
SC-7 (13) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Enhancement Summary Information
Page 307
13.16.6.1.10. Control Enhancement SC-7 (18) SC-7 (18) The information system fails securely in the event of an operational failure of a boundary protection device.
Page 308
<Information System Name> System Security Plan Version <0.00> / <Date> SC-7 (18) What is the solution and how is it implemented?
13.16.7.
Transmission Integrity (SC-8)
The information system protects the integrity of transmitted information.

13.16.7.1.
Control Enhancement for Transmission Integrity
13.16.7.1.1. Control Enhancement SC-8 (1) SC-8 (1) The organization employs cryptographic mechanisms to recognize changes to information during transmission unless otherwise protected by alternative physical measures.
Page 309
<Information System Name> System Security Plan Version <0.00> / <Date> SC-8 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-8 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
13.16.8.
Transmission Confidentiality (SC-9)
The information system protects the confidentiality of transmitted information.

SC-9 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Control Enhancement Summary Information
Page 310
<Information System Name> System Security Plan Version <0.00> / <Date> SC-9 Control Enhancement Summary Information
Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-9 What is the solution and how is it implemented?
13.16.8.1.
Control Enhancement for Transmission Confidentiality
13.16.8.1.1. Control Enhancement SC-9 (1) SC-9 (1) The organization employs cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless otherwise protected [Assignment: organization-defined alternative physical measures] SC-9 (1) Parameter Requirements: See additional requirements and guidance SC-9 (1) Additional FedRAMP Requirements and Guidance: Requirement: The service provider must implement a hardened or alarmed carrier Protective Distribution System (PDS) when transmission confidentiality cannot be achieved through cryptographic mechanisms.
SC-9 (1) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Control Enhancement Summary Information
Page 311
Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-9 (1) What is the solution and how is it implemented?
13.16.9.
Network Disconnect (SC-10)
The information system terminates the network connection associated with a communications session at the end of the session or after [Assignment: organization-defined time period] of inactivity. SC-10 Parameter Requirements: [thirty minutes for all RAS-based sessions; thirty to sixty minutes for non-interactive users] SC-10 Additional FedRAMP Requirements and Guidance: Guidance: Long running batch jobs and other operations are not subject to this time limit.
SC-10 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Control Summary Information
Page 312
SC-10 What is the solution and how is it implemented?
13.16.10.
Trusted Path (SC-11)
The information system establishes a trusted communications path between the user and the following security functions of the system: [Assignment: organization-defined security functions to include at a minimum, information system authentication and re-authentication]. SC-11 Parameter Requirements: See additional requirements and guidance. SC-11 Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the security functions that require a trusted path, including but not limited to system authentication, re-authentication, and provisioning or de-provisioning of services (i.e. allocating additional bandwidth to a cloud user). The list of security functions requiring a trusted path is approved and accepted by the JAB.
SC-11 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Control Summary Information
Page 313
13.16.11.
Cryptographic Key Establishment & Management (SC-12)
The organization establishes and manages cryptographic keys for required cryptography employed within the information system.
Page 314
13.16.11.1.
Control Enhancements for Cryptographic Key Establishment & Management
13.16.11.1.1. Control Enhancement SC-12 (2) SC-12 (2) The organization produces, controls, and distributes symmetric cryptographic keys using [Selection: NIST-approved, NSA-approved] key management technology and processes. SC-12 (2) Parameter Requirements: [NIST-approved]
SC-12 (2) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-12 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
13.16.11.1.2. Control Enhancement SC-12 (5) SC-12 (5) The organization produces, controls, and distributes asymmetric cryptographic keys using approved PKI Class 3 or Class 4 certificates and hardware security tokens that protect the users private key.
SC-12 (5) Responsible Role: Control Enhancement Summary Information
Page 315
<Information System Name> System Security Plan Version <0.00> / <Date> SC-12 (5) Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination: Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-12 (5) What is the solution and how is it implemented? Control Enhancement Summary Information
13.16.12.
Use of Cryptography (SC-13)
The information system implements required cryptographic protections using cryptographic modules that comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.
SC-13 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Control Summary Information
Page 316
Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-13 What is the solution and how is it implemented?
13.16.12.1.
Control Enhancement for Use of Cryptography
13.16.12.1.1. Control Enhancement SC-13 (1) SC-13 (1) The organization employs, at a minimum, FIPS-validated cryptography to protect unclassified information.
Page 317
<Information System Name> System Security Plan Version <0.00> / <Date> SC-13 (1) What is the solution and how is it implemented?
13.16.13.
Public Access Protections (SC-14)
The information system protects the integrity and availability of publicly available information and applications.
13.16.14.
Collaborative Computing (SC-15)
The information system:
Page 318
(a) Prohibits remote activation of collaborative computing devices with the following exceptions:[Assignment: organization-defined exceptions where remote activation is to be allowed] and SC-15a Parameter Requirements: [no exceptions] (b) Provides an explicit indication of use to users physically present at the devices.
SC-15 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-15 What is the solution and how is it implemented? Part a Control Summary Information
Part b
SC-15 Additional FedRAMP Requirements and Guidance: Requirement: The information system provides disablement (instead of physical disconnect) of collaborative computing devices in a manner that supports ease of use.
Page 319
<Information System Name> System Security Plan Version <0.00> / <Date> SC-15 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-15 What is the solution and how is it implemented? Additional Control Summary Information
13.16.15.
Public Key Infrastructure Certificates (SC-17)
The organization issues public key certificates under an [Assignment: organization-defined certificate policy] or obtains public key certificates under an appropriate certificate policy from an approved service provider. SC-17 Parameter Requirements: See additional requirements and guidance. SC-17 Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines the public key infrastructure certificate policy. The certificate policy is approved and accepted by the JAB.
SC-17 Responsible Role: Parameter: Implementation Status (check all that apply): Control Summary Information
Page 320
Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-17 What is the solution and how is it implemented?
13.16.16.
The organization:
Mobile Code (SC-18)
(a) Defines acceptable and unacceptable mobile code and mobile code technologies; (b) Establishes usage restrictions and implementation guidance for acceptable mobile code and mobile code technologies; and (c) Authorizes, monitors, and controls the use of mobile code within the information system.
SC-18 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Control Summary Information
Page 321
<Information System Name> System Security Plan Version <0.00> / <Date> SC-18 Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-18 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
13.16.17.
The organization:
Voice Over Internet Protocol (SC-19)
(a) Establishes usage restrictions and implementation guidance for Voice over Internet Protocol (VoIP) technologies based on the potential to cause damage to the information system if used maliciously; and (b) Authorizes, monitors, and controls the use of VoIP within the information system.
SC-19 Responsible Role: Implementation Status (check all that apply): Implemented Control Summary Information
Page 322
Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-19 What is the solution and how is it implemented? Part a
Part b
13.16.18. Secure Name-Address Resolution Service (Authoritative Source) (SC-20)

The information system provides additional data origin and integrity artifacts along with the authoritative data the system returns in response to name/address resolution queries.
SC-20 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Summary Information
Page 323
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-20 What is the solution and how is it implemented?
13.16.18.1.
Control Enhancement for Secure Name-Address Resolution Service
13.16.18.1.1. Control Enhancement SC-20 (1) SC-20 (1) The information system, when operating as part of a distributed, hierarchical namespace, provides the means to indicate the security status of child subspaces and (if the child supports secure resolution services) enable verification of a chain of trust among parent and child domains.
SC-20 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Enhancement Summary Information
Page 324
SC-20 (1) What is the solution and how is it implemented?
13.16.19. Secure Name-Address Resolution Service (Recursive or Caching Resolver) (SC-21)

The information system performs data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources when requested by client systems.
13.16.20. Architecture and Provisioning for Name-Address Resolution Service (SC-22)
Page 325
The information systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal/external role separation.
SC-22 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-22 What is the solution and how is it implemented? Control Summary Information
13.16.21.
Session Authenticity (SC-23)
The information system provides mechanisms to protect the authenticity of communications sessions.
SC-23 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Summary Information
Page 326
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-23 What is the solution and how is it implemented?
13.16.22.
Protection of Information At Rest (SC-28)
The information system protects the confidentiality and integrity of information at rest. SC-28 Additional FedRAMP Requirements and Guidance: Requirement: The organization supports the capability to use cryptographic mechanisms to protect information at rest.
SC-28 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> Control Summary Information
Page 327
13.16.23.
Virtualization Techniques (SC-30)
The organization employs virtualization techniques to present information system components as other types of components, or components with differing configurations.
13.16.24.
Information System Partitioning (SC-32)
The organization partitions the information system into components residing in separate physical domains (or environments) as deemed necessary.
Page 328
<Information System Name> System Security Plan Version <0.00> / <Date> SC-32 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-32 What is the solution and how is it implemented? Control Summary Information
13.17.
SYSTEM AND INFORMATION INTEGRITY (SI) System & Information Integrity Policy & Procedures (SI-1)
13.17.1.
The organization develops, disseminates, and reviews/updates [Assignment: organizationdefined frequency]: (a) A formal, documented system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b) Formal, documented procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls. SI-1 Parameter Requirements: [at least annually]
SI-1 Control Summary Information
Page 329
<Information System Name> System Security Plan Version <0.00> / <Date> SI-1 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) SI-1 What is the solution and how is it implemented? Part a Control Summary Information
Part b
13.17.2.
The organization:
Flaw Remediation (SI-2)
(a) Identifies, reports, and corrects information system flaws; (b) Tests software updates related to flaw remediation for effectiveness and potential side effects on organizational information systems before installation; and (c) Incorporates flaw remediation into the organizational configuration management process.
SI-2 Responsible Role: Implementation Status (check all that apply): Implemented Control Summary Information
Page 330
<Information System Name> System Security Plan Version <0.00> / <Date> SI-2 Control Summary Information Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-2 What is the solution and how is it implemented? Part a
Part b
Part c
13.17.2.1.
Control Enhancement for Flaw Remediation
13.17.2.1.1. Control Enhancement SI-2 (2) SI-2 (2) The organization employs automated mechanisms [Assignment: organization-defined frequency] to determine the state of information system components with regard to flaw remediation. SI-2 (2) Parameter Requirements: [at least monthly]
SI-2 (2) Responsible Role: Control Enhancement Summary Information
Page 331
<Information System Name> System Security Plan Version <0.00> / <Date> SI-2 (2) Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-2 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
13.17.3.
The organization:
Malicious Code Protection (SI-3)
(a) Employs malicious code protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and eradicate malicious code: Transported by electronic mail, electronic mail attachments, web accesses, removable media, or other common means; or Inserted through the exploitation of information system vulnerabilities; (b) Updates malicious code protection mechanisms (including signature definitions) whenever new releases are available in accordance with organizational configuration management policy and procedures; (c) Configures malicious code protection mechanisms to: Perform periodic scans of the information system [Assignment: organizationdefined frequency] in response to malicious code detection; and
Page 332
[Selection (one or more): block malicious code; quarantine malicious code; send alert to administrator; [Assignment: organization-defined action] ] SI-3c Parameter Requirements: Parameter 1: [at least weekly] Parameter 2: [block or quarantine malicious code, send alert to administrator, send alert to FedRAMP]
(d) Addresses the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the information system.
SI-3 Responsible Role: Parameter 1: Parameter 2: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-3 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Page 333
<Information System Name> System Security Plan Version <0.00> / <Date> SI-3 What is the solution and how is it implemented? Part c
Part d
13.17.3.1.
Control Enhancements for Malicious Code Protection
13.17.3.1.1. Control Enhancement SI-3 (1) SI-3 (1) The organization centrally manages malicious code protection mechanisms.
SI-3 (1) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-3 (1) What is the solution and how is it implemented? Control Enhancement Summary Information
Page 334
13.17.3.1.2. Control Enhancement SI-3 (2) SI-3 (2) The information system automatically updates malicious code protection mechanisms (including signature definitions).
SI-3 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SC-3 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
13.17.3.1.3. Control Enhancement SI-3 (3) SI-3 (3) The information system prevents non-privileged users from circumventing malicious code protection capabilities.
SI-3 (3) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Enhancement Summary Information
Page 335
<Information System Name> System Security Plan Version <0.00> / <Date> SI-3 (3) Control Enhancement Summary Information
13.17.4.
The organization:
Information System Monitoring Tools & Techniques (SI-4)
(a) Monitors events on the information system in accordance with [Assignment: organization-defined monitoring objectives] and detects information system attacks; SI-4a Parameter Requirements: [ensure the proper functioning of internal processes and controls in furtherance of regulatory and compliance requirements; examine system records to confirm that the system is functioning in an optimal, resilient, and secure state; identify irregularities or anomalies that are indicators of a system malfunction or compromise] (b) Identifies unauthorized use of the information system; (c) Deploys monitoring devices: strategically within the information system to collect organization-determined essential information; and at ad hoc locations within the system to track specific types of transactions of interest to the organization; (d) Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; and
Page 336
(e) Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.
SI-4 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-4 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Part d
Page 337
<Information System Name> System Security Plan Version <0.00> / <Date> SI-4 What is the solution and how is it implemented? Part e
13.17.4.1.
Control Enhancements for Information System Monitoring Tools & Techniques
13.17.4.1.1. Control Enhancement SI-4 (2) SI-4 (2) The organization employs automated tools to support near real-time analysis of events.
SI-4 (2) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-4 (2) What is the solution and how is it implemented? Control Enhancement Summary Information
13.17.4.1.2. Control Enhancement SI-4 (4) SI-4 (4) The information system monitors inbound and outbound communications for unusual or unauthorized activities or conditions.
SI-4 (4) Control Enhancement Summary Information
Page 338
<Information System Name> System Security Plan Version <0.00> / <Date> SI-4 (4) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-4 (4) What is the solution and how is it implemented? Control Enhancement Summary Information
13.17.4.1.3. Control Enhancement SI-4 (5) SI-4 (5) The information system provides near real-time alerts when the following indications of compromise or potential compromise occurs [Assignment: organization-defined list of compromise indicators]. SI-4 (5) Parameter Requirements: [protected information system files or directories have been modified without notification from the appropriate change/configuration management channels; information system performance indicates resource consumption that is inconsistent with expected operating conditions; auditing functionality has been disabled or modified to reduce audit visibility; audit or log records have been deleted or modified without explanation; information system is raising alerts or faults in a manner that indicates the presence of an abnormal condition; resource or service requests are initiated from clients that are outside of the expected client membership set; information system reports failed logins or password changes for administrative or key service accounts; processes and services are running that are outside of the baseline system profile; utilities, tools, or scripts have been saved or installed on production systems without clear indication of their use or purpose]
Page 339
SI-4 (5) Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines additional compromise indicators as needed. Guidance: Alerts may be generated from a variety of sources including but not limited to malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers.
SI-4 (5) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-4 (5) What is the solution and how is it implemented? Control Enhancement Summary Information
13.17.4.1.4. Control Enhancement SI-4 (6) SI-4 (6) The information system prevents non-privileged users from circumventing intrusion detection and prevention capabilities.
SI-4 (6) Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Control Enhancement Summary Information
Page 340
Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-4 (6) What is the solution and how is it implemented?
13.17.5.
The organization:
Security Alerts & Advisories (SI-5)
(a) Receives information system security alerts, advisories, and directives from designated external organizations on an ongoing basis; (b) Generates internal security alerts, advisories, and directives as deemed necessary; (c) Disseminates security alerts, advisories, and directives to [Assignment: organizationdefined list of personnel (identified by name and/or by role)]; and SI-5c Parameter Requirements: [All staff with system administration, monitoring, and/or security responsibilities including but not limited to FedRAMP] SI-5c Additional FedRAMP Requirements and Guidance: Requirement: The service provider defines a list of personnel (identified by name and/or by role) with system administration, monitoring, and/or security responsibilities who are to receive security alerts, advisories, and directives. The list also includes designated FedRAMP personnel.
Page 341
(d) Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance.
SI-5 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-5 What is the solution and how is it implemented? Part a Control Summary Information
Part b
Part c
Part d
Page 342
13.17.6.
Security Functionality Verification (SI-6)
The information system verifies the correct operation of security functions [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; periodically every [Assignment: organization-defined time-period]] [Selection (one or more): notifies system administrator; shuts the system down; restarts the system; [Assignment: organization-defined alternative action(s)]] SI-6 Parameter Requirements: Parameter 1: [upon system startup and/or restart and periodically every ninety days] Parameter 2: [notifies system administrator]
SI-6 Responsible Role: Parameter 1: Parameter 2: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-6 What is the solution and how is it implemented? Control Summary Information
13.17.7.
Software & Information Integrity (SI-7)
The information system detects unauthorized changes to software and information.

Page 343
<Information System Name> System Security Plan Version <0.00> / <Date> SI-7 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-7 What is the solution and how is it implemented? Control Summary Information
13.17.7.1.
Control Enhancement for Software & Information Integrity
13.17.7.1.1. Control Enhancement SI-7 (1) SI-7 (1) The organization reassesses the integrity of software and information by performing [Assignment: organization-defined frequency] integrity scans of the information system. SI-7 (1) Parameter Requirements: [at least monthly]
SI-7 (1) Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Control Enhancement Summary Information
Page 344
Alternative implementation Not applicable Control Origination: Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-7 (1) What is the solution and how is it implemented?
13.17.8.
The organization:
Spam Protection (SI-8)
(a) Employs spam protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means; and (b) Updates spam protection mechanisms (including signature definitions) when new releases are available in accordance with organizational configuration management policy and procedures.
SI-8 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Summary Information
Page 345
<Information System Name> System Security Plan Version <0.00> / <Date> SI-8 Control Summary Information
Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-8 What is the solution and how is it implemented? Part a
Part b
13.17.9.
Information Input Restrictions (SI-9)
The organization restricts the capability to input information to the information system to authorized personnel.
SI-9 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Control Summary Information
Page 346
<Information System Name> System Security Plan Version <0.00> / <Date> SI-9 Control Summary Information Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-9 What is the solution and how is it implemented?
13.17.10. Information Input Accuracy, Completeness, Validity, and Authenticity (SI-10)

The information system checks the validity of information inputs.
SI-10 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-10 What is the solution and how is it implemented? Control Summary Information
Page 347
13.17.11.
Error Handling (SI-11)
The information system: (a) Identifies potentially security-relevant error conditions; (b) Generates error messages that provide information necessary for corrective actions without revealing [Assignment: organization-defined sensitive or potentially harmful information] in error logs and administrative messages that could be exploited by adversaries; and SI-11b Parameter Requirements: [user name and password combinations; attributes used to validate a password reset request (e.g. security questions); personally identifiable information (excluding unique user name identifiers provided as a normal part of a transactional record); biometric data or personal characteristics used to authenticate identity; sensitive financial records (e.g. account numbers, access codes); content related to internal security functions (i.e., private encryption keys, white list or blacklist rules, object permission attributes and settings)]. (c) Reveals error messages only to authorized personnel.
SI-11 Responsible Role: Parameter: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-11 What is the solution and how is it implemented? Control Summary Information
Page 348
<Information System Name> System Security Plan Version <0.00> / <Date> SI-11 What is the solution and how is it implemented? Part a
Part b
Part c
13.17.12.
Information Output Handling and Retention (SI-12)
The organization handles and retains both information within and output from the information system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
SI-12 Responsible Role: Implementation Status (check all that apply): Implemented Partially implemented Planned Alternative implementation Not applicable Control Origination (check all that apply): Service Provider Corporate Service Provider System Specific Service Provider Hybrid (Corporate and System Specific) Configured by Customer (Customer System Specific) Provided by Customer (Customer System Specific) Shared (Service Provider and Customer Responsibility) Inherited from pre-existing Provisional Authorization (PA) for <Information System Name>, <Date of PA> SI-12 What is the solution and how is it implemented? Control Summary Information
Page 349
<Information System Name> System Security Plan Version <0.00> / <Date> SI-12 What is the solution and how is it implemented?
Page 350
Acronyms
Acronym 3PAO ATO CONOPS CSP DHS FedRAMP FIPS GSA ISSO JAB NIST OMB PII PMO POA&M SAP SLA SOC SSP US-CERT Definition Third Party Assessment Organization Authority To Operate Concept Of Operations Cloud Service Provider Department of Homeland Security Federal Risk and Authorization Management Program Federal Information Processing Standard General Services Administration Information System Security Officer Joint Authorization Board National Institute of Standards and Technology Office of Management and Budget Personally Identifiable Information Program Management Office Plan Of Action & Milestones Security Assessment Plan Service Level Agreement Security Operations Center System Security Plan U.S. Computer Emergency Response Team
Page 351
14. SYSTEMS SECURITY PLAN ATTACHMENTS

Instruction: Attach any documents that are referred to in the <Information System Name> System Security Plan.
14.1. ATTACHMENT 1 - [INFORMATION SECURITY POLICIES] 14.2. ATTACHMENT 2 - [USER GUIDE] 14.3. ATTACHMENT 3 - [E-AUTHENTICATION WORKSHEET] 14.4. ATTACHMENT 4 - [PTA/PIA] 14.5. ATTACHMENT 5 - [RULES OF BEHAVIOR] 14.6. ATTACHMENT 6 - [IT CONTINGENCY PLAN] 14.7. ATTACHMENT 7 - [CONFIGURATION MANAGEMENT PLAN] 14.8. ATTACHMENT 8 - [INCIDENT RESPONSE PLAN] 14.9. ATTACHMENT 9 - [CIS WORKBOOK]
Page 352

System Security Plan Template 120512 - 508

Cargado por

Información del documento

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

System Security Plan Template 120512 - 508

Cargado por

Copyright:

Formatos disponibles

System Security Plan <Information System Name>, <Date>

FedRAMP System Security Plan (Template)

<Vendor Name> <Information System Name> <Version 1.0>

System Security Plan <Information System Name>, <Date>

System Security Plan Prepared by

Company Sensitive and Proprietary

System Security Plan <Information System Name>, <Date>

Company Sensitive and Proprietary

System Security Plan <Information System Name>, <Date>

Document Revision History

07/25/2012 10/15/2012 12/5/2012

N/A N/A N/A

FedRAMP Office FedRAMP Office FedRAMP Office

Company Sensitive and Proprietary

System Interconnections ................................................................................................................. 37

Company Sensitive and Proprietary

<Information System Name> System Security Plan Version <0.00> / <Date>

Applicable Laws and Regulations .................................................................................................... 39

13.1.3.1.1. Control Enhancement AC-3 (3) ................................................................................... 61

<Information System Name> System Security Plan Version <0.00> / <Date>

13.3. Audit and Accountability (AU)......................................................................................................... 99

<Information System Name> System Security Plan Version <0.00> / <Date>

13.3.7.1.1. Control Enhancement AU-7 (1) ................................................................................. 111

13.3.8.1.1. Control Enhancement AU-8 (1) ................................................................................. 113

13.4. Security Assessment and Authorization (CA) ................................................................................ 120

13.4.2.1.1. Control Enhancement CA-2 (1) ................................................................................. 123

<Information System Name> System Security Plan Version <0.00> / <Date>

13.5.3.1.1. Control Enhancement CM-3 (2) ................................................................................ 137

13.5.5.1.1. Control Enhancement CM-5 (1) ................................................................................ 139

13.5.7.1.1. Control Enhancement CM-7 (1) ................................................................................ 145

<Information System Name> System Security Plan Version <0.00> / <Date>

<Information System Name> System Security Plan Version <0.00> / <Date>

13.8. Incident Response (IR) .................................................................................................................. 192

13.8.4.1.1. Control Enhancement IR-4 (1)................................................................................... 197

13.8.6.1.1. Control Enhancement IR-6 (1)................................................................................... 200

13.9. Maintenance (MA) ........................................................................................................................ 205

13.9.2.1.1. Control Enhancement MA-2 (1) ................................................................................ 208

<Information System Name> System Security Plan Version <0.00> / <Date>

13.10. Media Protection (MP).................................................................................................................. 217

<Information System Name> System Security Plan Version <0.00> / <Date>

13.12. Planning (PL) ................................................................................................................................. 251

13.13. Personnel Security (PS) ................................................................................................................. 256

13.14. Risk Assessment (RA) .................................................................................................................... 264

<Information System Name> System Security Plan Version <0.00> / <Date>

13.14.2. 13.14.3. 13.14.4.

13.15.9.1.1. Control Enhancement SA-9 (1).................................................................................. 287

13.16. System and Communications Protection (SC) ............................................................................... 294

<Information System Name> System Security Plan Version <0.00> / <Date>

13.16.2. 13.16.3. 13.16.4. 13.16.5. 13.16.6.

<Information System Name> System Security Plan Version <0.00> / <Date>

13.16.16. 13.16.17. 13.16.18.

13.17. System and Information Integrity (SI) ........................................................................................... 329

<Information System Name> System Security Plan Version <0.00> / <Date>

13.17.10. 13.17.11. 13.17.12. 14.

Company Sensitive and Proprietary

<Information System Name> System Security Plan Version <0.00> / <Date>

Company Sensitive and Proprietary

<Information System Name> System Security Plan Version <0.00> / <Date>

ABOUT THIS DOCUMENT

WHO SHOULD USE THIS DOCUMENT?

HOW THIS DOCUMENT IS ORGANIZED

<Information System Name> System Security Plan Version <0.00> / <Date>

Section 13 provides an in-depth description of how each security control is implemented.